The hacking group linked to the Contagious Interview campaign has been observed merging functionalities of two of its malware programs, indicating active refinement of its toolset. Recent campaigns by the group have seen BeaverTail and OtterCookie functions coming closer together, with the latter now equipped with a new module for keylogging and taking screenshots, according to new findings from Cisco Talos. The group is known by various names in the cybersecurity community.
Google Threat Intelligence Group (GTIG) and Mandiant have revealed the group’s use of a stealthy technique called EtherHiding to fetch next-stage payloads from decentralized infrastructure, turning it into a resilient command-and-control (C2) server. This marks the first documented case of a nation-state actor using such a method.
Contagious Interview is an elaborate recruitment scam where North Korean threat actors impersonate hiring organizations to target job seekers, tricking them into installing malware under the guise of technical assessments or coding tasks to steal sensitive data and cryptocurrency.
In recent months, the campaign has evolved, leveraging social engineering techniques to deliver malware strains like GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Key malware families involved in the attacks include BeaverTail, OtterCookie, and InvisibleFerret.
BeaverTail and OtterCookie are separate but complementary tools, with the latter first appearing in attacks in September 2024. While BeaverTail steals information and downloads files, OtterCookie initially contacts a remote server for commands. However, recent activities show a convergence of functionalities between the two.
An organization in Sri Lanka was unintentionally affected by the threat actors, likely due to a user falling victim to a fake job offer that led to the installation of a trojanized Node.js application. The malware utilized a malicious npm package that was later taken down after attracting downloads.
Further analysis revealed that the malware had characteristics of both BeaverTail and OtterCookie, incorporating a new module for keylogging, screenshotting, and clipboard monitoring. This evolution indicates a shift from basic data-gathering to a more advanced data theft and remote command execution tool.
Additional functionalities present in the malware, OtterCookie v5, include a remote shell module, a file uploading module, and a cryptocurrency extensions stealer module. The presence of a Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code suggests experimentation with new malware delivery methods.
It’s worth noting that the content in this article is based on findings from Cisco Talos and Google Threat Intelligence Group, highlighting the evolving tactics of a threat actor involved in the Contagious Interview campaign.
