The North Korean threat actor associated with the Contagious Interview campaign has been observed integrating the capabilities of two malware families, BeaverTail and OtterCookie, into a sophisticated JavaScript malware platform. BeaverTail primarily functions as an information stealer and downloader, while OtterCookie initially focused on command-and-control communications and remote command execution. The new merged malware, referred to as OtterCookie v5, incorporates modules for keylogging, screenshot capture, clipboard monitoring, browser profile and extension enumeration, cryptocurrency wallet data theft, and persistent remote access via AnyDesk installation. The malware is delivered through social engineering campaigns impersonating legitimate hiring organizations, tricking victims into installing trojanized Node.js packages such as "Chessfi" hosted on Bitbucket and malicious npm packages like "node-nvm-ssh." These packages use postinstall hooks to execute JavaScript payloads that load further malicious scripts. The malware also downloads a Python backdoor named InvisibleFerret, enhancing persistence and control. Notably, the attackers employ a stealthy technique called EtherHiding, leveraging decentralized blockchain networks (BNB Smart Chain and Ethereum) as resilient command-and-control infrastructure, a novel approach for a nation-state actor. The malware targets sensitive data including browser-stored credentials, cryptocurrency wallets (notably on Chrome and Brave browsers), clipboard contents, and system information. Cisco Talos also detected a Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, suggesting experimentation with new delivery vectors. The campaign’s evolution demonstrates increasing sophistication in supply chain attacks, social engineering, and modular malware design, posing significant risks to organizations worldwide.

European organizations are at considerable risk from this advanced malware campaign due to several factors. The malware’s ability to steal sensitive information from browsers and cryptocurrency wallets threatens confidentiality and financial assets, particularly for companies involved in fintech, cryptocurrency trading, and blockchain technology. The use of social engineering via fake job offers exploits the large remote and hybrid workforce prevalent in Europe, increasing the likelihood of initial compromise. The malware’s persistence mechanisms and remote access capabilities enable long-term espionage and data exfiltration, potentially impacting intellectual property, personal data, and strategic business information. The use of decentralized blockchain infrastructure for command-and-control complicates detection and mitigation efforts, increasing the malware’s resilience. Supply chain attacks via npm packages threaten software development environments, which are critical in Europe’s growing tech sector. Overall, the campaign could lead to data breaches, financial theft, reputational damage, and regulatory penalties under GDPR for affected European entities.

European organizations should implement targeted mitigations beyond generic advice: 1) Enforce strict software supply chain security by auditing and restricting use of third-party npm packages, employing tools to detect malicious dependencies, and monitoring package behavior post-installation. 2) Enhance user awareness programs focused on social engineering tactics, especially fake recruitment scams, emphasizing verification of job offers and software sources. 3) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting keylogging, screenshot capture, and unusual network communications, including blockchain-based C2 traffic. 4) Monitor and restrict installation of unauthorized Visual Studio Code extensions and Node.js packages in developer environments. 5) Implement network segmentation and strict access controls to limit lateral movement and data exfiltration. 6) Use threat intelligence feeds to detect indicators related to Contagious Interview campaign and associated malware. 7) Regularly review and update incident response plans to address supply chain and social engineering attacks. 8) Employ multi-factor authentication and credential monitoring to reduce impact of stolen credentials. 9) Collaborate with npm and Bitbucket maintainers to report and remove malicious packages promptly. 10) Consider blockchain traffic analysis tools to identify and block EtherHiding-based C2 communications.