Threat Actor Refines Toolset in New Campaigns

A North Korean threat actor, previously associated with the “Contagious Interview” campaign, has been observed enhancing its cyber arsenal by merging functionalities from its BeaverTail and OtterCookie malware. According to new research from Cisco Talos, this development indicates the hacking group is actively refining its toolset. Recent campaigns show a significant convergence of the two malware programs’ functions. This evolution of their malicious software demonstrates a persistent effort by the group to improve its operational capabilities and evade detection.

In addition to combining features, the group has upgraded its OtterCookie malware. The program has been fitted with a new module designed for advanced surveillance, including capabilities for keylogging and capturing screenshots from compromised systems. This enhancement provides the attackers with more effective methods for stealing sensitive information and monitoring victim activity.

Attribution and Advanced Payload Delivery

The activity is attributed to a threat cluster tracked by cybersecurity experts under numerous aliases, including CL-STA-0240, DeceptiveDevelopment, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi. The wide range of monikers reflects the extensive tracking of this group’s activities across the security industry.

This development follows a report from Google Threat Intelligence Group (GTIG) and Mandiant that revealed the threat actor’s use of a sophisticated technique known as EtherHiding. This stealthy method is employed to fetch next-stage payloads from the BNB Smart Chain, highlighting the group’s use of blockchain technology to conceal its command-and-control infrastructure and payload delivery mechanisms.