BleepingComputer reports that intrusions with the new OtterCookie malware and its updated iteration have been launched by North Korean threat actors against software developers as part of the Contagious Interview campaign, which initially involved the deployment of the BeaverTail and InvisibleFerret payloads.
Malicious npm packages from Bitbucket or GitHub, as well as Qt files and Electron apps have been leveraged by attackers to distribute the loader containing OtterCookie, which when executed uses the Socket.IO WebSocket tool to receive data exfiltration commands, according to an analysis from NTT Security Japan.
While the initial version of OtterCookie identified in September allowed Ethereum private key compromise through its built-in checkForSensitiveData functionality, the November update facilitated such activity, as well as clipboard data compromise, via remote shell commands. Researchers also discovered the newer OtterCookie variant's integration of reconnaissance commands for potential lateral movement and further systems breach.
Such findings indicate the continued evolution of the Contagious Interview campaign that should prompt increased vigilance among software developers, researchers said.