One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8630663 |
| Date de publication | 2024-12-27 16:14:14 (vue: 2024-12-27 17:08:22) |
| Titre | New \'OtterCookie\' malware used to backdoor devs in fake job offers |
| Texte | ## Snapshot NTT Security Japan reports that North Korean threat actors have been deploying a new malware, \'OtterCookie,\' as part of the [Contagious Interview](https://security.microsoft.com/intel-explorer/articles/9ce29d67) campaign. ## Description The campaign lures developers with fake job offers to deliver malware, including BeaverTail and InvisibleFerret. [NTT Security Japan](https://jp.security.ntt/tech_blog/contagious-interview-ottercookie) reports that the new malware came out around September 2024, with a new variant emerging in November 2024. OtterCookie is delivered through a loader that executes JavaScript code fetched as JSON data, and it\'s been observed executed alongside BeaverTail and by itself. The infection vector includes Node.js projects or npm packages from GitHub or Bitbucket, and more recently, files built as Qt or Electron applications. Once on the target device, OtterCookie establishes a secure connection with its C2 infrastructure using socket.io WebSocket tool. It can steal sensitive data such as cryptocurrency wallet keys using the checkForSensitiveData function. The November variant uses a library called clipboardy to remotely send clipboard content. Also, it can execute reconnaissance commands like \'ls\' and \'cat\' to explore the environment for further infiltration or lateral movement. The evolution of malware and the diversification of infection methods suggest that the threat actors are experimenting with new tactics. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - [Help prevent social engineering attacks](https://www.microsoft.com/en-us/security/security-insider/emerging-threats/feeding-from-the-trust-economy-social-engineering-fraud?ocid=magicti_ta_blog) by not blending personal accounts with work emails or work-related tasks. Avoid opening emails, attachments, and links, including links from social networks, from suspicious sources. Ask yourself if the sender is who they say they are before clicking anything. Be wary of senders and offers. Do a search to determine if the offer is legitimate or a trap. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by activating policies regarding compliant devices or trusted IP address requirements. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Practice the [principle of least privilege and building credential hygiene](https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself?ocid=magicti_ta_blog#defending-against-ransomware). Avoid the use of domain-wide, admin-level service accounts. Restricting local admin |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 365 365/security/office 3c/em 3cem 3elearndoc 3eta about access access/overview accessed accounts activate activating actors address admin administrative against all alongside also any anything applications apps are around article ask attachments attack attacker attacks attempts authentication authenticator avoid awareness backdoor beavertail been before best bitbucket bleepingcomputer blending blog blog#defending blog/contagious browser browsers build building built called came campaign can cat chain checkforsensitivedata clicking clipboard clipboardy code com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft com/news/security/new com/security/blog/2022/05/09/ransomware commands compliant conditional configure connection contagious content cookie copyright credential credentials cryptocurrency cybercrime data defender deliver delivered deploying description determine developers device devices devs different directory/authentication/concept directory/conditional directory/identity distribution diversification domain economy edge educating electron email emails emerging employees empower enable endpoint/malware/supply enforce enforced engineering ensure enterprise environment establishes establish evaluated every evolution example excluded execute executed executes experimenting explore explorer/articles/9ce29d67 fake features fetched fido files following fraud from function further get gig github group have hello help how https://jp https://learn https://security https://www hygiene identifying identity impact includes including increase infection infiltration infrastructure insider/emerging installation interview invisibleferret its itself japan javascript job json keys korean lateral learndoc least legitimate level leverage library like limit links loader local locations lures malware managed methods mfa microsoft mitigations more movement networks new node north not november npm ntt ntt/tech observed ocid=magicti off offer offers offers/ office once opening organizational organizations otter ottercookie out packages part password passwordless passwords permission personal policies policy practice practices prevent preventing principle privilege privileges prohibited projects protect protection protection/howto publishers ransomware recently recognize recommendations recommends reconnaissance reduce refer references regarding related remind remotely remove report reports reproduction require requirements reserved resilience restricting rights run say scenarios search secure secured security security/attack send sender senders sensitive september service session should simulation site snapshot social socket software sources started steal stolen stored strictly such suggest supply support suspicious sync#sync syncing tactics target tasks their themselves thereof these the threat threats threats/feeding through time times tool training trap trust trusted turn understanding unwanted update us/defender us/nuget/concepts/security us/security/security use used user users uses use using using variant vaults vector wallet wary websocket who wide windows without work workplace written yourself by for from in policies |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.