Hunting Lazarus Part III: The Infrastructure That Was Too Perfect
Contents
Hunting Lazarus Part III: The Infrastructure That Was Too Perfect
We discovered a second malware family, mapped approximately 20 ghost servers with consistent configurations, attempted to exploit the C2 infrastructure—and ended up questioning whether we were hunting them, or they were hunting us.
Executive Summary
During continued investigation of the Contagious Interview campaign, Red Asgard's threat research team:
- Discovered OtterCookie, a second malware family operating alongside BeaverTail/InvisibleFerret—more advanced, with keylogging, screenshot capture, VM evasion, and 27 wallet extension targets
- Mapped approximately 20 previously undocumented C2 servers with consistent port configurations—evidence of Infrastructure-as-Code deployment
- Confirmed both malware families share the same servers, with BeaverTail on port 1244 and OtterCookie on port 5918
- Attempted to exploit the C2 infrastructure using 11 attack classes (SSTI, prototype pollution, HTTP smuggling, XXE, command injection, deserialization, SSRF, file upload RCE, CRLF, FTP brute force, Express.js CVEs)—every single one failed
- Identified six indicators that this infrastructure may be a honeypot …
We discovered a second malware family, mapped approximately 20 ghost servers with consistent configurations, attempted to exploit the C2 infrastructure—and ended up questioning whether we were hunting them, or they were hunting us.
Executive Summary
During continued investigation of the Contagious Interview campaign, Red Asgard's threat research team:
- Discovered OtterCookie, a second malware family operating alongside BeaverTail/InvisibleFerret—more advanced, with keylogging, screenshot capture, VM evasion, and 27 wallet extension targets
- Mapped approximately 20 previously undocumented C2 servers with consistent port configurations—evidence of Infrastructure-as-Code deployment
- Confirmed both malware families share the same servers, with BeaverTail on port 1244 and OtterCookie on port 5918
- Attempted to exploit the C2 infrastructure using 11 attack classes (SSTI, prototype pollution, HTTP smuggling, XXE, command injection, deserialization, SSRF, file upload RCE, CRLF, FTP brute force, Express.js CVEs)—every single one failed
- Identified six indicators that this infrastructure may be a honeypot …
IoC
http://169.254.169.254/latest/meta-data/
216.250.251.87
147.124.213.232
172.86.105.40
147.124.214.129
172.86.116.178
169.254.169.254
147.124.212.125
144.172.104.117
147.124.208.0
45.59.163.55
144.172.101.45
86.106.85.234
66.235.168.238
4a3703430a2ec2ae30f362b29e994f77
216.250.251.87
147.124.213.232
172.86.105.40
147.124.214.129
172.86.116.178
169.254.169.254
147.124.212.125
144.172.104.117
147.124.208.0
45.59.163.55
144.172.101.45
86.106.85.234
66.235.168.238
4a3703430a2ec2ae30f362b29e994f77