Elastic Security Labs uncovered REF9403, a new Contagious Interview campaign that hides malware in SVG files via steganography and uses fake job offers to target developers. The payloads align with OTTERCOOKIE and include browser and wallet theft, file theft, a Socket.IO-based RAT, and clipboard stealing, with infrastructure on rightwidth[.]dev and related subdomains. #REF9403 #ContagiousInterview #OTTERCOOKIE #rightwidthdev
Keypoints
- Elastic Security Labs identified a previously undocumented Contagious Interview infection chain tracked as REF9403.
- The campaign targeted developers through fake job postings and coding challenge repositories shared in Slack direct messages.
- Malware payloads were hidden in SVG image files using steganography, with Base64 fragments spread across flag images.
- The malicious code executed on server startup and delivered four stages: browser and crypto wallet stealing, file theft, a Socket.IO RAT, and clipboard stealing.
- The malware showed strong overlap with OTTERCOOKIE in code, behavior, and infrastructure.
- Stolen data was exfiltrated to rightwidth[.]dev infrastructure, including ldb.rightwidth[.]dev, upload.rightwidth[.]dev, controller.rightwidth[.]dev, and file.rightwidth[.]dev.
- The operation used trojanized repositories that appeared functional, and some victims reportedly ran or published them unknowingly.
MITRE Techniques
- [T1056.001 ] Keylogging / Clipboard Data Capture â The campaign included clipboard stealing to collect copied content from victim systems. [âThe clipboard functionality is only available on macOS and Windows. The malware polls every 500ms for new clipboard content, exfiltrating any changesâ]
- [T1105 ] Ingress Tool Transfer â The dropper downloaded second-stage binaries from an external host before renaming them and executing them. [âdownloads three second-stage binaries via curl from file.rightwidth[.]devâ]
- [T1027 ] Obfuscated Files or Information â The malware used obfuscator.io and hidden Base64 fragments in SVG comments to conceal payloads and evade static detection. [âhide chunks of the malwareâ, âThis JavaScript malware is protected by obfuscator.ioâ]
- [T1027.003 ] Steganography â Malware code was concealed inside legitimate-looking SVG image files. [âusing steganography in SVG image files to hide chunks of the malwareâ]
- [T1036 ] Masquerading â The malware disguised itself as benign npm-related activity and legitimate project files to avoid suspicion. [âsets its process title to npm-cache, masquerading as a benign npm caching processâ]
- [T1059.007 ] JavaScript â The malicious logic was implemented in JavaScript and executed on server startup. [âserver/index.js calls runServerValidation()â, âJavaScript file in the repoâ]
- [T1218.005 ] Scripting: Visual Basic / PowerShell â PowerShell was used on Windows to read clipboard contents. [âpowershell -NoProfile -NonInteractive Get-Clipboardâ]
- [T1053 ] Scheduled Task / Job â The malware ran persistently on startup by being invoked through npm scripts when the server launched. [âboth npm run dev and npm start launch server/index.js, so the payload executes on each server bootâ]
- [T1071.001 ] Web Protocols â The RAT used Socket.IO over HTTPS for command-and-control communication. [âestablishes a persistent Socket.IO command-and-control channelâ]
- [T1021.005 ] Remote Services: Socket Sessions â The operator executed shell commands over the Socket.IO channel for interactive access. [âreturns the output as a message event over the same Socket.IO connectionâ]
- [T1082 ] System Information Discovery â The malware collected host details and checked system characteristics for VM detection and victim registration. [âsystem host informationâ, âRetrieves system details using the WMIC commandâ]
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks â The malware checked for VMware, VirtualBox, QEMU, Parallels, and similar indicators before continuing. [âvmware, virtualbox, qemu, microsoft corporationâ, âIf there is a match, the malware places a tag in the C2 response with (VM)â]
- [T1113 ] Screen Capture / Clipboard Theft â The malware collected clipboard content as a form of user input theft. [âexfiltrating any changes to the C2 serverâ]
- [T1003 ] OS Credential Dumping â The browser credential and keychain theft targeted saved credentials and authentication material. [âexfiltrates saved credentialsâ, âthe system keychain database is also exfiltratedâ]
- [T1005 ] Data from Local System â The file stealer recursively collected documents, source code, configuration files, histories, and other local data. [âsearching for the following files whose names match a set of glob patternsâ]
- [T1033 ] System Owner/User Discovery â The malware used user and host context in registration and file-path targeting, including user directory lock files. [âwriting its own process ID to a lock file in the userâs directoryâ]
Indicators of Compromise
- [SHA-256 ] Trojanized repository samples â 8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e, 3e6360f83a95540aa2176d279ca4694513afb1e5116a7ffe591c6b5bcf3b9c3c, and other 6 hashes
- [Domain ] C2 and infrastructure â rightwidth[.]dev, ldb.rightwidth[.]dev, upload.rightwidth[.]dev, controller.rightwidth[.]dev, file.rightwidth[.]dev
- [IPv4 ] OTTERCOOKIE C2 infrastructure â 195.26.248[.]212, 188.40.64[.]61
- [File names ] Trojanized repositories and payloads â next-ecommerce-private-main.zip, shopping-platform-main.zip, hostService.txt, printSvc.txt
- [API endpoints ] RAT and exfiltration paths â /api/service/makelog, /api/service/process/, /cldbs, /upload
- [Process / command strings ] Execution and clipboard collection â server/index.js, npm-cache, wmic logicaldisk get name, powershell -NoProfile -NonInteractive Get-Clipboard
- [Wallet extension IDs ] Targeted browser extensions â nkbihfbeogaeaoehlefnkodbefgpgknn, acmacodkjbdgmoleebolmdjonilkdbch, and other 23 items
Read more: https://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography