Malware
OtterCookie
IoCs CSV
1 YARA rule
Indicators of Compromise 15
Domain jsonkeeper.com GitHub Repo marketfront IP 142.93.211.30 IP 216.126.236.244 Package events-runtime Package express-session-js Package o3forms Package quirky-token Package react-icon-svgs Package rollup-packages-polyfill-core Package rollup-plugin-polyfill-connect Package rollup-runtime-polyfill-core Package security-alerts-sdk Package swift-parse-stream Registry User marketfront
MITRE ATT&CK TTPs 12
T1005 T1027 T1056.001 T1056.002 T1059.007 T1071 T1071.001 T1082 T1114 T1195.002 T1555 T1566
Data from Local System
Collection
Obfuscated Files or Information
Defense Evasion
Keylogging
Collection
GUI Input Capture
Collection
JavaScript
Execution
Application Layer Protocol
Command And Control
Web Protocols
Command And Control
System Information Discovery
Discovery
Email Collection
Collection
Compromise Software Supply Chain
Initial Access
Credentials from Password Stores
Credential Access
Phishing
Initial Access
YARA Detection Rules
OtterCookie_YARA_Detection
yara ai_generated
rule OtterCookie_Detection {
meta:
description = "Detects malicious npm packages and artifacts associated with North Korean threat actors impersonating Rollup polyfill tools, known as OtterCookie"
author = "AI Generated"
ttp = "T1195.002, T1555, T1059.007, T1071.001, T1027, T1082, T1005, T1566, T1071, T1114, T1056.002, T1056.001"
ioc_domain = "jsonkeeper.com"
ioc_ips = "216.126.236.244, 142.93.211.30"
ioc_packages = "rollup-packages-polyfill-core, rollup-runtime-polyfill-core, quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, swift-parse-stream, express-session-js, security-alerts-sdk, events-runtime, o3forms"
github_repo = "marketfront"
registry_user = "marketfront"
strings:
$pkg1 = "rollup-packages-polyfill-core" nocase
$pkg2 = "rollup-runtime-polyfill-core" nocase
$pkg3 = "quirky-token" nocase
$pkg4 = "react-icon-svgs" nocase
$pkg5 = "rollup-plugin-polyfill-connect" nocase
$pkg6 = "swift-parse-stream" nocase
$pkg7 = "express-session-js" nocase
$pkg8 = "security-alerts-sdk" nocase
$pkg9 = "events-runtime" nocase
$pkg10 = "o3forms" nocase
$repo_ref = "github.com/marketfront" nocase
$user_ref = "npmjs.com/~marketfront" nocase
$user_ref2 = "registry.npmjs.org/~marketfront" nocase
$domain_c2 = "jsonkeeper.com" nocase
$ip_c2_1 = "216.126.236.244" ascii
$ip_c2_2 = "142.93.211.30" ascii
$behavior1 = "process.env" ascii
$behavior2 = "fs.readFileSync" ascii
$behavior3 = "os.tmpdir" ascii
$behavior4 = "child_process.exec" ascii
$behavior5 = "http.request" ascii
$behavior6 = "writeFileSync" ascii
$behavior7 = "getPlatform" ascii
$behavior8 = "exfiltrate" ascii
$behavior9 = "fetchSecrets" ascii
$behavior10 = "sendBeacon" ascii
condition:
any of ($pkg*) or
$domain_c2 or
$ip_c2_1 or
$ip_c2_2 or
any of ($repo_ref, $user_ref, $user_ref2) or
(all of ($behavior*) and ($domain_c2 or $ip_c2_1 or $ip_c2_2))
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.