Malicious Node Package Deploys OtterCookie
Contents
Malicious Node Package Deploys OtterCookie
The Blackpoint SOC recently contained an incident involving OtterCookie, a North Korean linked malware family delivered through a trojanized open-source project hosted on Bitbucket. The campaign specifically targets developers and the financial sector, leveraging the trust placed in open-source dependencies to achieve initial access and stage downstream payloads. The loader code, disguised as part of a 3D chess application, intentionally triggers a failure during initialization so its catch block fetches an “error” message from a remote API and executes that returned string in-process, ultimately staging and deploying the OtterCookie malware.
Once executed, the malware unpacked a fake application named client-app into a user writable System32 directory under %AppData%\Roaming. A crafted package.json ensured required dependencies were installed before establishing Command and Control (C2) communications, where the malware exfiltrated system details and screenshots to prepare tailored payloads.
The attack chain relied on multiple supporting artifacts, including .bat, .ps1, .dat, and …
The Blackpoint SOC recently contained an incident involving OtterCookie, a North Korean linked malware family delivered through a trojanized open-source project hosted on Bitbucket. The campaign specifically targets developers and the financial sector, leveraging the trust placed in open-source dependencies to achieve initial access and stage downstream payloads. The loader code, disguised as part of a 3D chess application, intentionally triggers a failure during initialization so its catch block fetches an “error” message from a remote API and executes that returned string in-process, ultimately staging and deploying the OtterCookie malware.
Once executed, the malware unpacked a fake application named client-app into a user writable System32 directory under %AppData%\Roaming. A crafted package.json ensured required dependencies were installed before establishing Command and Control (C2) communications, where the malware exfiltrated system details and screenshots to prepare tailored payloads.
The attack chain relied on multiple supporting artifacts, including .bat, .ps1, .dat, and …
IoC
http://86.106.85.90
http://deobfuscate.io
http://serve-cookie.vercel.app
http://146.70.87.202
http://193.187.148.116
http://hxxps://bitbucket.org/labs525/chess/src/main/
http://hxxps://github.com/terin6/CHESS
http://86.106.85.234
http://86.106.85.234:4552
http://78.46.94.230
http://193.27.14.208
http://hxxp://86.106.85.234/api/service/makelog
http://obfuscater.io
http://86.106.85.234:4558/upload
http://86.106.85.234/api/service/process/<uid
193.187.148.116
86.106.85.234
78.46.94.230
86.106.85.90
146.70.87.202
193.27.14.208
[email protected]
[email protected]
[email protected]
8B3DEB9426B405EB8E08AC2A9868E55980A3A24B7F033E4040A08C029D721894
C077F24E0C8FD9B10AF046F7811046BC97FE9723A354FAE129FD49720DA5C87E
57533E0BF2A9857BF1E603039B6B3E9EEB9CB5B53BB490D4ECDAA57EFAD0D27C
51322339B720D6E81BEF2B7D415C242E222939C0A3624C5EDC791DB9472F7EC8
ADEE6C5CC15432F0E4A5202B2653AEB057D988DC18ECDCDED7038B91BD8212B2
C0CEC1CA432EB8AE0CB43325CA10C25B436EE88EDD6F08E4B74BC1EE27E83766
8D3B4D38914029C2B9CF83F6DED99FA1E73F89FC390FFF369BDDEDAB4729F04D
http://deobfuscate.io
http://serve-cookie.vercel.app
http://146.70.87.202
http://193.187.148.116
http://hxxps://bitbucket.org/labs525/chess/src/main/
http://hxxps://github.com/terin6/CHESS
http://86.106.85.234
http://86.106.85.234:4552
http://78.46.94.230
http://193.27.14.208
http://hxxp://86.106.85.234/api/service/makelog
http://obfuscater.io
http://86.106.85.234:4558/upload
http://86.106.85.234/api/service/process/<uid
193.187.148.116
86.106.85.234
78.46.94.230
86.106.85.90
146.70.87.202
193.27.14.208
[email protected]
[email protected]
[email protected]
8B3DEB9426B405EB8E08AC2A9868E55980A3A24B7F033E4040A08C029D721894
C077F24E0C8FD9B10AF046F7811046BC97FE9723A354FAE129FD49720DA5C87E
57533E0BF2A9857BF1E603039B6B3E9EEB9CB5B53BB490D4ECDAA57EFAD0D27C
51322339B720D6E81BEF2B7D415C242E222939C0A3624C5EDC791DB9472F7EC8
ADEE6C5CC15432F0E4A5202B2653AEB057D988DC18ECDCDED7038B91BD8212B2
C0CEC1CA432EB8AE0CB43325CA10C25B436EE88EDD6F08E4B74BC1EE27E83766
8D3B4D38914029C2B9CF83F6DED99FA1E73F89FC390FFF369BDDEDAB4729F04D