Full Report
The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That's according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming
Analysis Summary
# Threat Actor: North Korean Cluster (Associated with Contagious Interview)
## Attribution & Identity
Nation-state threat actor originating from North Korea.
**Known Aliases and Associations:** CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
## Activity Summary
The actor is actively refining its toolset, recently observed merging functionalities between the BeaverTail and OtterCookie malware strains. This activity is linked to the ongoing **Contagious Interview** recruitment scam campaign, which began around late 2022. The campaign involves impersonating hiring organizations to trick job seekers into installing malware under the guise of technical assessments. Recent shifts in the campaign also included leveraging ClickFix social engineering and deploying other malware strains like GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. The cluster has also been documented using the novel technique of 'EtherHiding' to fetch subsequent payloads from decentralized infrastructure.
## Tactics, Techniques & Procedures
- **Social Engineering:** Exploits recruitment lures (Contagious Interview) and uses ClickFix social engineering to deliver initial payloads.
- **Supply Chain Compromise/Initial Access:** Delivered malware via trojanized applications (e.g., a Node.js application named Chessfi hosted on Bitbucket) bundled within fake job requirements. Utilized dependencies published to official repositories (e.g., the `node-nvm-ssh` package on npm, leveraging package `postinstall` hooks).
- **Payload Delivery/Execution:** Uses JavaScript payloads launched via `package.json` scripts to execute final-stage malware.
- **Malware Functionality Merging:** Combining features of BeaverTail (information stealer/downloader) and OtterCookie (command execution).
- **New Feature Addition:** OtterCookie has been updated with a new module for keylogging and taking screenshots.
- **C2 Resilience:** Utilizing "EtherHiding" to fetch secondary payloads from BNB Smart Chain (BSC) or Ethereum blockchains, turning decentralized infrastructure into resilient C2.
## Targeting
- **Sectors:** Not explicitly limited, but observed activity intersects with organizations requiring software development and technical assessment processes.
- **Geography:** An organization headquartered in **Sri Lanka** was recently observed being infected.
- **Victims:** Job seekers targeted by recruitment scams; current documented infection involved a company in Sri Lanka likely compromised when a user installed a trojanized Node.js application.
## Tools & Infrastructure
- **Malware Families:** BeaverTail, OtterCookie, InvisibleFerret, GolangGhost, PylangGhost, TsunamiKit, Tropidoor, AkdoorTea.
- **Infrastructure (C2, domains, IPs):**
- Decentralized Infrastructure: BNB Smart Chain (BSC) and Ethereum blockchains used for C2 communication/payload retrieval via EtherHiding.
- Hosting: Bitbucket (for hosting trojanized application Chessfi).
- Initial Stage Dependency: `node-nvm-ssh` npm package (now taken down).
## Implications
This actor demonstrates advanced operational tradecraft by actively evolving its bespoke malware (melding BeaverTail and OtterCookie) and adopting sophisticated, novel C2 methods (EtherHiding) previously seen only in cybercrime groups. The focus on the software supply chain via npm repositories indicates a persistent threat to development environments globally as part of their established espionage/theft objectives facilitated by the job scam lure.
## Mitigations
- Implement strict scrutiny and verification processes for third-party dependencies, especially those installed via package managers like npm.
- Monitor package repository activity for unusual packages or packages rapidly deployed and subsequently removed.
- Review recruitment processes to ensure technical assessments do not require downloading and executing unverified code from external sources, particularly if the evaluation involves Node.js or similar development frameworks.
- Harden environments against post-installation hooks in package lifecycle scripts.
- Implement network monitoring to detect unusual outbound connections to blockchain RPC nodes or explorers often associated with EtherHiding techniques.