BeaverTail and OtterCookie evolve with a new Javascript module
Contents
- Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). This group is known for impersonating hiring organizations to target job seekers, tricking them into installing information-stealing malware to obtain cryptocurrency and user credentials.
- In this incident, although the organization was not directly targeted, one of its systems was compromised-likely because a user was deceived by a fake job offer and installed a trojanized Node.js application called "Chessfi."
- The malicious software was distributed via a Node.js package named "node-nvm-ssh" on the official NPM repository.
- Famous Chollima often uses two malicious tools, BeaverTail and OtterCookie, which started as separate but complementary programs. Recent campaigns have seen their functions merging, and Talos has identified a new module for keylogging and taking screenshots.
- While searching for related threats, Talos also found a malicious VS Code extension containing BeaverTail and OtterCookie code. Although attribution …
- In this incident, although the organization was not directly targeted, one of its systems was compromised-likely because a user was deceived by a fake job offer and installed a trojanized Node.js application called "Chessfi."
- The malicious software was distributed via a Node.js package named "node-nvm-ssh" on the official NPM repository.
- Famous Chollima often uses two malicious tools, BeaverTail and OtterCookie, which started as separate but complementary programs. Recent campaigns have seen their functions merging, and Talos has identified a new module for keylogging and taking screenshots.
- While searching for related threats, Talos also found a malicious VS Code extension containing BeaverTail and OtterCookie code. Although attribution …
IoC
http://23.227.202.244:1224/brow/14/144
http://23.227.202.244:1224/client/14/144
http://172.86.88.188:1478/upload
http://23.227.202.244:1224/uploads
http://23.227.202.244:1224/payload/14/144
http://23.227.202.244:1224/pdown
http://bitbucket.org/dev-chess/chess-frontend.git
http://172.86.88.188/api/service/makelog
http://144.172.96.35/api/service/makelog
http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7
http://135.181.123.177/api/service/makelog
http://138.201.50.5:5961/upload
http://172.86.113.12
http://www.npmjs.com/package/node-nvm-ssh
http://172.86.88.188:1418/socket.io/
http://144.172.112.50/api/service/makelog
http://23.227.202.244
http://172.86.73.46
http://23.227.202.244:1224/keys
http://135.181.123.177
http://172.86.88.188:1476/upload
172.86.113.12
172.86.88.188
172.86.73.46
135.181.123.177
144.172.96.35
144.172.112.50
138.201.50.5
23.227.202.244
d89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47
77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379
6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063
a6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d
caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394
72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d
c841b6c4ac4d2e83f16cf7a8bfbec3d7
8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b
9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982
dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd
83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8
f08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e
d27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a
51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974
0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731
http://23.227.202.244:1224/client/14/144
http://172.86.88.188:1478/upload
http://23.227.202.244:1224/uploads
http://23.227.202.244:1224/payload/14/144
http://23.227.202.244:1224/pdown
http://bitbucket.org/dev-chess/chess-frontend.git
http://172.86.88.188/api/service/makelog
http://144.172.96.35/api/service/makelog
http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7
http://135.181.123.177/api/service/makelog
http://138.201.50.5:5961/upload
http://172.86.113.12
http://www.npmjs.com/package/node-nvm-ssh
http://172.86.88.188:1418/socket.io/
http://144.172.112.50/api/service/makelog
http://23.227.202.244
http://172.86.73.46
http://23.227.202.244:1224/keys
http://135.181.123.177
http://172.86.88.188:1476/upload
172.86.113.12
172.86.88.188
172.86.73.46
135.181.123.177
144.172.96.35
144.172.112.50
138.201.50.5
23.227.202.244
d89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47
77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379
6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063
a6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d
caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394
72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d
c841b6c4ac4d2e83f16cf7a8bfbec3d7
8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b
9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982
dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd
83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8
f08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e
d27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a
51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974
0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731