The Lazarus Group, a North Korean state-sponsored cybercrime organization has escalated its efforts with a new wave of assaults targeting employees in nuclear-related organizations. This campaign, part of the DeathNote series, also known as "Operation DreamJob," features a refined infection chain combining older tactics with new malware to enhance stealth and persistence. The group exploits fake job opportunities to infiltrate victims, distributing malicious archive files disguised as IT skill assessments for prominent defense and aerospace firms.
In this campaign, Lazarus targeted two employees from the same nuclear organization with ISO files containing trojanized VNC software. These cleverly disguised files included malicious executables like AmazonVNC.exe and a readme.txt with connection instructions. Once executed, these files deployed a downloader named Ranid Downloader, initiating an infection chain that introduced multiple malware strains such as MISTPEN, RollMid, and LPEClient. These tools allowed Lazarus to escalate attacks by fetching additional payloads from command-and-control (C2) servers.
A standout feature of the campaign is the emergence of CookiePlus, a newly discovered modular malware masquerading as a Notepad++ plugin. CookiePlus serves as a downloader, capable of executing DLLs, shellcode, and additional payloads while transmitting minimal information to C2 servers using advanced encryption like RSA and ChaCha20. Its modular design supports adaptability, with plugins performing tasks such as data exfiltration and lateral movement. This malware underscores Lazarus's efforts to evade detection by disguising itself as legitimate tools.
The Lazarus Group also utilized compromised WordPress servers for their C2 infrastructure, employing a decentralized approach that complicates tracking and blocking. The introduction of CookiePlus reflects the group's shift towards modular frameworks, increasing the efficiency of their attacks. As Lazarus continues to refine its methods, sectors like nuclear energy, aerospace, and defense must enhance their defenses and maintain vigilance to counter this relentless and evolving threat.
Finally, these global campaign to steal military and nuclear secrets, UK intelligence services revealed.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
