Full Report
North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into
Analysis Summary
# Threat Actor: CL-STA-0240 (Associated with North Korea)
## Attribution & Identity
* **Attribution:** North Korean threat actors.
* **Aliases and Associated Groups:**
* Contagious Interview (Campaign Name)
* DeceptiveDevelopment
* Famous Chollima (also associated with the insider threat operation)
* Tenacious Pungsan
* Nickel Tapestry
* UNC5267
* Wagemole
* **Known Associations:** The threat cluster is assessed to be linked to the **313th General Bureau** under the Munitions Industry Department of the Workers' Party of Korea, which seeks funds for nuclear and missile development.
## Activity Summary
The actors are conducting the "Contagious Interview" campaign, which utilizes social engineering, specifically posing as recruiters to trick victims into downloading malware during a purported interview process. This campaign has been ongoing since at least November 2023. Recent activity includes the introduction and updating of the **OtterCookie** JavaScript malware (introduced September 2024). The campaign chain involves distributing malware-laced videoconferencing apps or npm packages hosted on GitHub or official package registries, leading to the deployment of malware like BeaverTail and InvisibleFerret.
## Tactics, Techniques & Procedures
- **Social Engineering:** Posing as recruiters to distribute malicious files/software.
- **Initial Access:** Distributing malicious npm packages or videoconferencing applications.
- **Payload Delivery/Execution:** Utilizing BeaverTail as an initial payload, which in turn fetches and executes OtterCookie.
- **Modular Malware Evolution:** Updated BeaverTail versions offload information-stealing functionality to Python scripts tracked as **CivetQ**.
- **Command and Control (C2):** OtterCookie establishes C2 communication using the Socket.IO JavaScript library.
- **Data Exfiltration:** Executing shell commands to steal files, clipboard content, and cryptocurrency wallet keys.
- **Anti-Sanctions Operations:** Allegedly involved in an insider threat operation where IT workers secure employment in Western companies to illegally generate foreign currency for the regime.
## Targeting
* **Sectors:** Not explicitly detailed beyond general victims targeted by job scams; associations suggest involvement in IT employment schemes targeting Western companies and non-profit organizations. The broader context mentions funds for nuclear/missile development.
* **Geography:** Victims targeted via job lures implicitly include those in regions where Western companies operate. South Korean sanctions mention IT personnel dispatched to China, Russia, Southeast Asia, and Africa.
* **Victims:** Individuals seeking job opportunities/recruitment candidates.
## Tools & Infrastructure
* **Malware Families:**
* OtterCookie (New JavaScript malware observed since September 2024)
* BeaverTail (Older malware, updated modular versions)
* InvisibleFerret
* CivetQ (Python scripts used for information stealing in newer BeaverTail variants)
* **Infrastructure:**
* Command and Control (C2) servers communicating via the Socket.IO JavaScript library.
* Malicious npm packages and files hosted on GitHub.
## Implications
This cluster remains highly active and adaptive, as evidenced by the introduction of OtterCookie and the modularization of BeaverTail, suggesting a continuous effort to refine execution and data theft capabilities while maintaining a highly effective initial access vector (job-luring). The activities are directly linked to funding North Korea's nuclear and missile programs, elevating the threat from cybercrime to a national security concern sanctioned by South Korea and the U.S. DOJ.
## Mitigations
- Exercise extreme caution with software or interview materials received via unverified sources, especially when job seeking.
- Thoroughly vet software packages, particularly from public registries like npm, before implementation or execution.
- Security monitoring for suspicious C2 communication patterns, especially those leveraging JavaScript libraries like Socket.IO for outbound connections.
- Implement segmentation to limit the impact of supply chain compromise via compromised packages.