Malware

OtterCookie

IoCs CSV 1 YARA rule

Indicators of Compromise 15

MITRE ATT&CK TTPs 12

YARA Detection Rules

OtterCookie_YARA_Detection
yara ai_generated
rule OtterCookie_Detection {
    meta:
        description = "Detects malicious npm packages and artifacts associated with North Korean threat actors impersonating Rollup polyfill tools, known as OtterCookie"
        author = "AI Generated"
        ttp = "T1195.002, T1555, T1059.007, T1071.001, T1027, T1082, T1005, T1566, T1071, T1114, T1056.002, T1056.001"
        ioc_domain = "jsonkeeper.com"
        ioc_ips = "216.126.236.244, 142.93.211.30"
        ioc_packages = "rollup-packages-polyfill-core, rollup-runtime-polyfill-core, quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, swift-parse-stream, express-session-js, security-alerts-sdk, events-runtime, o3forms"
        github_repo = "marketfront"
        registry_user = "marketfront"

    strings:
        $pkg1 = "rollup-packages-polyfill-core" nocase
        $pkg2 = "rollup-runtime-polyfill-core" nocase
        $pkg3 = "quirky-token" nocase
        $pkg4 = "react-icon-svgs" nocase
        $pkg5 = "rollup-plugin-polyfill-connect" nocase
        $pkg6 = "swift-parse-stream" nocase
        $pkg7 = "express-session-js" nocase
        $pkg8 = "security-alerts-sdk" nocase
        $pkg9 = "events-runtime" nocase
        $pkg10 = "o3forms" nocase

        $repo_ref = "github.com/marketfront" nocase
        $user_ref = "npmjs.com/~marketfront" nocase
        $user_ref2 = "registry.npmjs.org/~marketfront" nocase

        $domain_c2 = "jsonkeeper.com" nocase
        $ip_c2_1 = "216.126.236.244" ascii
        $ip_c2_2 = "142.93.211.30" ascii

        $behavior1 = "process.env" ascii
        $behavior2 = "fs.readFileSync" ascii
        $behavior3 = "os.tmpdir" ascii
        $behavior4 = "child_process.exec" ascii
        $behavior5 = "http.request" ascii
        $behavior6 = "writeFileSync" ascii
        $behavior7 = "getPlatform" ascii
        $behavior8 = "exfiltrate" ascii
        $behavior9 = "fetchSecrets" ascii
        $behavior10 = "sendBeacon" ascii

    condition:
        any of ($pkg*) or
        $domain_c2 or
        $ip_c2_1 or
        $ip_c2_2 or
        any of ($repo_ref, $user_ref, $user_ref2) or
        (all of ($behavior*) and ($domain_c2 or $ip_c2_1 or $ip_c2_2))
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles