Date: 01/01/2025
Severity: Medium
Summary
OtterCookie, a new malware used by Contagious Interview, is part of an ongoing attack campaign attributed to North Korea, which has been financially motivated rather than politically targeted. Observed by SOCs since November 2024, OtterCookie represents a new variant in the Contagious Interview campaign, which previously featured malware like BeaverTail and InvisibleFerret. The malware exhibits unique execution flows and behavior, which have been under investigation. Japanese organizations, among others, are advised to remain cautious as incidents linked to this campaign continue to emerge.
Indicators of Compromise (IOC) List
URL/Domain | zkservice.cloud w3capi.marketing payloadrpc.com |
IP Address | 45.159.248.55 |
Hash |
d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106
7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e
4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79
32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "payloadrpc.com" or url like "payloadrpc.com" or userdomainname like "zkservice.cloud" or url like "zkservice.cloud" or userdomainname like "payloadrpc.com" or url like "payloadrpc.com" |
Detection Query 2 | dstipaddress IN ("45.159.248.55") or ipaddress IN ("45.159.248.55") or publicipaddress IN ("45.159.248.55") or srcipaddress IN ("45.159.248.55") |
Detection Query 3 |
sha256hash IN ("4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79","7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e","32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236","d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106") |
Reference:
https://jp.security.ntt/tech_blog/contagious-interview-ottercookie