A Cisco Talos report unveils a malicious campaign linked to North Korea’s Famous Chollima group, targeting developers through fake job offers and trojanized open-source tools. The campaign leverages malware families BeaverTail and OtterCookie to steal cryptocurrency wallets, keystrokes, and sensitive data across multiple platforms. #FamousChollima #BeaverTail #OtterCookie #NPM #SupplyChainAttack
Keypoints
- The campaign begins with fake job offers on freelancing platforms to infect developers with trojanized applications.
- Malicious payloads load through a multi-stage process involving obfuscated JavaScript code.
- BeaverTail and OtterCookie malware now share codebases and operate cross-platform on Windows, macOS, and Linux.
- OtterCookie v5 includes modules for keylogging, screenshot capture, drive enumeration, and exfiltration.
- Attackers use supply chain tactics, targeting cryptocurrency extensions and possibly embedding malware into VS Code extensions.