OtterCookie, new malware used in Contagious Interview campaign
Contents
This article is English version of âContagious Interviewã使ç¨ããæ°ããªãã«ã¦ã§ã¢OtterCookieã«ã¤ãã¦â translated by Ryu Hiyoshi, NTTSH SOC analyst.
The original article was authored by our SOC analysts, Masaya Motoda and Rintaro Koike.
Introduction
It is said that Contagious Interview is an attack campaign related to North Korea and Palo Alto Networks published report on them in November 2023 [1]. Unlike common targeted attacks supported by a nation, Contagious Interview looks like to be motivated by money and its target is rather broader. Since our SOC occasionally observes security incidents by this campaign, Japanese organizations should pay close attention it.
Since around November 2024, Our SOC observed the execution of unknown malware, neither BeaverTail nor InvisibleFerret, in Contagious Interview campaign. We named the newly observed malware OtterCookie and performed detailed research. In this article, we'll introduce its execution flow and detail behavior.
Execution Flow
Though Contagious Interview campaign employs various initial attack vectors, most of them start with Node.js projects …
The original article was authored by our SOC analysts, Masaya Motoda and Rintaro Koike.
Introduction
It is said that Contagious Interview is an attack campaign related to North Korea and Palo Alto Networks published report on them in November 2023 [1]. Unlike common targeted attacks supported by a nation, Contagious Interview looks like to be motivated by money and its target is rather broader. Since our SOC occasionally observes security incidents by this campaign, Japanese organizations should pay close attention it.
Since around November 2024, Our SOC observed the execution of unknown malware, neither BeaverTail nor InvisibleFerret, in Contagious Interview campaign. We named the newly observed malware OtterCookie and performed detailed research. In this article, we'll introduce its execution flow and detail behavior.
Execution Flow
Though Contagious Interview campaign employs various initial attack vectors, most of them start with Node.js projects …
IoC
http://zkservice.cloud
http://45.159.248.55
http://payloadrpc.com
45.159.248.55
32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236
4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79
d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106
7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e
http://45.159.248.55
http://payloadrpc.com
45.159.248.55
32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236
4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79
d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106
7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e