After activating the target device, OtterCookie uses the Socket.IO WebSocket tool to create secure communications with its command and control (C2) infrastructure and waits for commands. The researchers looked at shell commands that steal data, such as gathering documents, photos, Bitcoin wallet keys, and other important data.

OtterCookie's September edition previously allowed the theft of Bitcoin wallet keys. For instance, the checkForSensitiveData function looked for Ethereum private keys using regular expressions. However, the malware's November version altered this, using remote shell instructions to accomplish this.

Additionally, the most recent version of OtterCookie can exfiltrate clipboard data—which may include sensitive information—to the threat actors. Reconnaissance-related commands, such as "ls" and "cat," were also found, suggesting that the attacker intended to investigate the area and set it up for lateral movement or deeper infiltration.

The threat actors behind the Contagious Interview campaign are experimenting with new strategies, as seen by the emergence of new malware and a variety of infection techniques. When a job offer includes coding exams, software developers should be cautious about running code on their personal or work computers and try to confirm facts about a possible company.

Impact

• Unauthorized Access
• Code Execution
• Sensitive Data Theft
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• zkservice.cloud
• w3capi.marketing
• payloadrpc.com

IP

• 45.159.248.55

MD5

• ef13692228ee8e929c6e2e463b1ec30b
• 30ed90b4a570d6ff0c29759bfff491c2
• 01abb0b0fff83bea08eef2a1bd8cb413
• 9154c7d643e6d762dd1ab1df9125e4ea

SHA-256

• d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106
• 7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e
• 4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79
• 32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236

SHA1

• 3630d9daeb501bf345299aacc710fd68aa7a154f
• 98746c50fc4aa656fe3a5747cc05ecaa7c17243b
• 64c3b90c4093091c4cdedce4b7807dd790323624
• a94cef78aa9f22284c7e733680a1369caa50f035

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their systems and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.