The RAT module maintains common communication with an attacker-controlled C2 server, executing instructions to terminate its personal course of, change the working listing, checklist recordsdata and directories, navigate to the appliance listing, retrieve listing particulars, add a file, execute Node.js code, and run arbitrary shell instructions, amongst others.
StoatWaffle additionally displays customized habits relying on the sufferer’s browser. “If the sufferer browser was Chromium household, it steals browser extension knowledge in addition to saved credentials,” the researchers mentioned. “If the sufferer browser was Firefox, it steals browser extension knowledge in addition to saved credentials. It reads extensions.json and will get the checklist of browser extension names, then checks whether or not the designated key phrase is included.”
For victims working macOS, the malware additionally targets Keychain databases, they added.
Contagious Interview, revisited
StoatWaffle isn’t an remoted marketing campaign. It’s the newest chapter within the Contagious Interview assaults, broadly attributed to North Korea-linked menace actors tracked as WaterPlum.
