The Lazarus Group, a notorious North Korean-linked cybercrime syndicate, was detected exploiting an advanced infection chain targeting at least two individuals from a nuclear-related organization within a one-month period in January 2024.
The assaults, which peaked with the deployment of a novel modular backdoor dubbed ” “, are part of a sustained cyber espionage operation known as Operation Dream Job, also tracked as ” ” by cybersecurity firm Kaspersky. Recognized as a lively concept since at least 2020, when ClearSky first introduced it.
Malicious actors typically target individuals in various industries, including construction, manufacturing, finance, and technology, as well as those working in protection, aerospace, and other sectors, often seeking to compromise their devices through the exploitation of vulnerabilities or the use of social engineering tactics that can ultimately lead to the deployment of malware on victims’ machines.
Russian cybercriminals Lazarus are leveraging their expertise in conducting supply chain attacks as part of a DeathNote marketing campaign, primarily utilizing two tactics: first, they send malicious documents or trojanized PDF viewers displaying tailored job descriptions to targeted individuals, according to an extensive analysis by the agency.
Phishing attacks may involve distributing Trojanized remote access tools, allegedly equal to or in place of legitimate software, to convince targets to connect to a designated server for a supposed skill assessment.
Kaspersky has recently documented a sophisticated attack that employed a modified infection chain to deliver a Trojanized VNC utility, disguised as a legitimate tool for conducting skill assessments in IT roles at prominent aerospace and defense companies.
Notably, Lazarus Group leveraged rogue VNC app variants to target nuclear engineers in October 2023, as revealed in its quarterly APT trends report for Q3 2023.
Researchers Vasily Berdnikov and Sojun Ryu revealed that Lazarus delivered the primary archive file to at least two individuals within the same group, which they have referred to as Host A and Host B. “After a month, they launched intensified efforts to achieve their primary objective.”
Researchers suspect that malicious VNC applications, disguised as a modified version of TightVNC called “AmazonVNC.exe,” were disseminated through the distribution of ISO images and ZIP files. A legitimate instance of UltraVNC was exploited to surreptitiously inject a malicious DLL from a ZIP file.
A DLL (“vnclang.dll”) functions as the loader for the notorious backdoor, discovered by Google’s Mandiant subsidiary in September 2022. Monitoring the exercise cluster designated as UNC2970 under its respective umbrella. A malicious actor, known as MISTPEN, has recently been found to be distributing an additional payload, referred to as “and”, along with a novel variant of LPEClient.
Kaspersky revealed that it had discovered the deployment of CookieTime malware on Host A, although the exact tactics employed to achieve this remain unclear. Initially distributed by the corporation in September and November 2020, CookieTime earned its moniker due to its reliance on encoded cookie values within HTTP requests to obtain instructions from a command-and-control (C2) server.
A thorough examination of the assault sequence has uncovered that the malicious actor propagated laterally from Host A to another system (Host C), whereupon they leveraged CookieTime to deliver a range of payloads between February and June 2024, including:
- LPEClient, a malware capable of profiling compromised hosts with sophisticated features.
- ServiceChanger, a malicious entity, intercepts and disables a critical government service, thereby allowing the installation of a counterfeit Dynamic Link Library (DLL) within its executable, exploiting DLL side-loading capabilities.
- Charamel Loader, a notorious malware type that encrypts and aggregates sensitive data from sources such as CookieTime, CookiePlus, and
- A novel feature enhancement, dubbed CookiePlus, has been seamlessly integrated into the existing architecture of both ServiceChanger and Charamel Loader, fostering a more robust and versatile user experience.
The key difference between a CookiePlus loaded through Charamel Loader versus ServiceChanger lies in how effectively each method achieves this distinction. According to the researchers, the preceding code runs independently as a DLL, featuring the C2 information within its source code.
This capability fetches what’s saved in a separate exterior file, such as msado.inc, allowing CookiePlus to acquire a C2 listing from both an internal resource and an external file. In all other circumstances, the habit remains consistent.
When initially discovered in the wild, CookiePlus masqueraded as an open-source Notepad++ plugin, earning its name through this clever disguise. During the assaults targeting the nuclear-related entity, a significant connection was uncovered between this operation and another mission with similar objectives.
The malware functions as a downloader, retrieving a Base64-encoded, RSA-encrypted payload from the command-and-control (C2) server, which is subsequently decoded and decrypted to execute either of three distinct shellcodes or a dynamic link library (DLL). The shellcodes are equipped with options to collect system information and configure the primary CookiePlus module to suspend operations for a predetermined period of time.
It appears that CookiePlus may be linked to MISTPEN due to similarities in behavior between the two malware families, given their shared characteristic of masquerading as Notepad++ plugins.
Throughout its storied history, the Lazarus group has leveraged a limited repertoire of modular malware frameworks, including and . “The revelation that this group consistently introduces new modular malware, akin to CookiePlus, underscores their relentless effort to refine their arsenal and craft sophisticated infection chains capable of evading detection by security solutions.”
North Korean-affiliated hackers have made off with a staggering $1.34 billion through 47 cryptocurrency attacks this year, a significant increase from the $660.5 million stolen in 2023, according to blockchain intelligence agency Chainalysis. The inclusion of the May 2024 breach of Japanese cryptocurrency alternative DMM Bitcoin, which resulted in a loss of approximately $305 million at that point, adds significant context to the narrative.
Unfortunately, instances of tardiness have become increasingly prevalent. “Notably, assaults valued between $50 million and $100 million, and those exceeding $100 million, took place with greater frequency in 2024 compared to 2023, implying a significant escalation of the DPRK’s capabilities for large-scale cybercrime.”
