In a recent series of cyberattacks, the notorious Lazarus Group has shifted its focus towards targeting employees in nuclear-related organizations with a new wave of assaults. This campaign, known as “Operation DreamJob” or the DeathNote series, demonstrates a refined infection chain that combines both old and new malware to enhance stealth and persistence.
The strategic approach taken by Lazarus in these attacks involves exploiting fake job opportunities to infiltrate its victims. Traditionally, the group has used malicious documents or trojanized tools like VNC or PuTTY to lure targets. However, in this latest campaign, Lazarus took a more sophisticated approach by distributing malicious archive files disguised as skill assessments for IT roles at renowned defense and aerospace firms.
Two employees from a nuclear organization were specifically targeted with ISO files containing trojanized VNC software. These files were able to bypass detection by including malicious executables like AmazonVNC.exe and a readme.txt file with connection instructions. Once executed, these files deployed a downloader named Ranid Downloader to initiate further attacks.
The infection chain in this campaign revealed the deployment of several malware strains, including MISTPEN, RollMid, and LPEClient. MISTPEN acted as a loader for additional payloads, fetching new malware from command-and-control (C2) servers. Meanwhile, RollMid and LPEClient, relatively new tools in Lazarus’s arsenal, were used to escalate the attack.
One notable aspect of this campaign was the reappearance of CookieTime malware, which now downloads additional payloads, allowing for lateral movement within networks. One such payload was CookiePlus, a newly discovered modular malware disguised as a Notepad++ plugin, showcasing the group’s evolving techniques.
CookiePlus, in particular, represents a significant advancement in Lazarus’s capabilities. Acting as a downloader, it supports various execution methods and employs sophisticated encryption techniques like RSA and ChaCha20 to protect its communications and payloads. Its modular design allows for adaptability, with plugins performing tasks such as data exfiltration and lateral movement, highlighting Lazarus’s efforts to evade detection.
The group utilized compromised WordPress servers as C2 infrastructure, hosting PHP-based web services across various regions, making it difficult for defenders to track and block their activities. This decentralized setup adds to the challenges faced by cybersecurity professionals in combatting Lazarus’s attacks.
Overall, the introduction of CookiePlus marks a shift in Lazarus’s strategy towards modular malware frameworks to enhance attack efficiency. As their tactics evolve, organizations in sectors like nuclear energy, aerospace, and defense need to remain vigilant and deploy robust defenses to mitigate the risks posed by this relentless adversary. Staying ahead of the curve is imperative as Lazarus continues to refine its methods and pose an ever-increasing threat to cybersecurity.