CyberSecurity news
FlagThis - #OtterCookie
|
@securityonline.info
//
The North Korean threat actor WaterPlum, also known as Famous Chollima or PurpleBravo, is behind the latest iteration of the OtterCookie malware, version 4. This cross-platform malware is designed to target financial institutions, cryptocurrency platforms, and FinTech companies across the globe. OtterCookie's evolution demonstrates a significant advancement in its capabilities, posing an increased threat level. The malware is often deployed through the "Contagious Interview" campaign, which uses fake job offers to entice victims into opening malicious payloads.
OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber. A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025.
Share:
References :
Classification:
|