EXECUTIVE SUMMARY:
OtterCandy is a malware employed by the North Korea-linked cyber threat group WaterPlum. This group has been active in campaigns such as Contagious Interview and ClickFake Interview, targeting various sectors globally. OtterCandy, a Remote Access Trojan (RAT), has since been utilized in attacks against Windows, macOS, and Linux systems. Significant updates were made to OtterCandy, enhancing its capabilities and stealth features.
OtterCandy is a remote access Trojan (RAT) and information-stealer written in Node.js. Upon execution, it connects to the attackers command-and-control (C2) infrastructure using WebSocket communication, allowing the adversary to issue commands to exfiltrate browser credentials, cryptocurrency wallets, and confidential files. It achieves persistence using a helper component and includes a fallback self-fork mechanism triggered on receipt of a SIGINT event. A recent variant update introduced enhancements: a new client_id field for improved victim identification, an expanded list of hard-coded browser extension targets, full-data exfiltration support for Chromium-based browsers, and a ss_del command which deletes registry keys, files, and directories to erase traces.
This represents an evolution of existing toolsets and shows the actors capability to enhance functionality and stealth in a relatively short timeframe. The broadened platform support and augmented exfiltration features underscore the need for organizations to review their detection and response capabilities. Continuous monitoring, rapid patching, strong credential hygiene, and network segmentation will be key to mitigating its potential impact.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: