The North Korean risk actors behind the Contagious Interview marketing campaign have continued to flood the npm registry with 197 extra malicious packages since final month.
In line with Socket, these packages have been downloaded over 31,000 instances, and are designed to ship a variant of OtterCookie that brings collectively the options of BeaverTail and prior variations of OtterCookie.
Among the recognized “loader” packages are listed under –
- bcryptjs-node
- cross-sessions
- json-oauth
- node-tailwind
- react-adparser
- session-keeper
- tailwind-magic
- tailwindcss-forms
- webpack-loadcss
The malware, as soon as launched, makes an attempt to evade sandboxes and digital machines, profiles the machine, after which establishes a command-and-control (C2) channel to supply the attackers with a distant shell, together with capabilities to steal clipboard contents, log keystrokes, seize screenshots, and collect browser credentials, paperwork, cryptocurrency pockets knowledge, and seed phrases.
It is price noting that the blurring distinction between OtterCookie and BeaverTail was documented by Cisco Talos final month in reference to an an infection that impacted a system related to a company headquartered in Sri Lanka after a consumer was seemingly deceived into operating a Node.js software as a part of a faux job interview course of.
Additional evaluation has decided that the packages are designed to hook up with a hard-coded Vercel URL (“tetrismic.vercel[.]app”), which then proceeds to fetch the cross-platform OtterCookie payload from a risk actor-controlled GitHub repository. The GitHub account that serves because the supply car, stardev0914, is now not accessible.
“This sustained tempo makes Contagious Interview one of the crucial prolific campaigns exploiting npm, and it exhibits how completely North Korean risk actors have tailored their tooling to trendy JavaScript and crypto-centric growth workflows,” safety researcher Kirill Boychenko mentioned.
The event comes as faux assessment-themed web sites created by the risk actors have leveraged ClickFix-style directions to ship malware known as GolangGhost (aka FlexibleFerret or WeaselStore) underneath the pretext of fixing digicam or microphone points. The exercise is tracked underneath the moniker ClickFake Interview.
Written in Go, the malware contacts a hard-coded C2 server and enters right into a persistent command-processing loop to gather system info, add/obtain information, run working system instructions, and harvest info from Google Chrome. Persistence is achieved by writing a macOS LaunchAgent that triggers its execution by the use of a shell script routinely upon consumer login.
Additionally put in as a part of the assault chain is a decoy software that shows a bogus Chrome digicam entry immediate to maintain up the ruse. Subsequently, it presents a Chrome-style password immediate that captures the content material entered by the consumer and sends it to a Dropbox account.
“Though there may be some overlap, this marketing campaign is distinct from different DPRK IT Employee schemes that concentrate on embedding actors inside professional companies underneath false identities,” Validin mentioned. “Contagious Interview, against this, is designed to compromise people by means of staged recruiting pipelines, malicious coding workouts, and fraudulent hiring platforms, weaponizing the job software course of itself.”
