The Lazarus Group has been identified as the mastermind behind a sophisticated cyber attack known as “Operation DreamJob” that specifically targets employees working in critical sectors such as nuclear energy. This attack involves the distribution of malicious archive files disguised as legitimate job offers to unsuspecting victims.
Upon execution of these files, a complex multi-stage infection process is triggered. This process includes the deployment of a downloader, loader, and backdoor components, allowing the hackers to establish persistent access to compromised systems. With this access, the threat actors can engage in activities such as data theft, espionage, or disruptive attacks.
Lazarus Group, which is known for its involvement in supply chain attacks, has recently evolved its tactics. In a recent campaign, the group distributed trojanized VNC utilities disguised as skills assessment archives, showcasing their adaptability and resourcefulness in carrying out cyber attacks targeted at specific individuals within organizations.
The group made use of ISO files instead of more easily detectable ZIP archives to deliver a trojanized version of TightVNC, known as AmazonVNC.exe, posing as a legitimate VNC viewer. The malware generated an XOR key based on an IP address provided by the hackers to decrypt the downloader Ranid stored within the VNC executable file.
In another instance, Lazarus employed a ZIP archive containing a genuine vncviewer.exe along with a malicious vnclang.dll (MISTPEN loader). This loader was used to download additional payloads, including the newly identified RollMid and an updated version of the LPEClient variant, demonstrating the group’s capacity to constantly innovate their attack techniques.
CookieTime malware was identified as a versatile tool used by the Lazarus Group for lateral movement and payload delivery. Initially, CookieTime would receive commands directly from a Command and Control (C2) server. However, it evolved to download and execute various malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an upgraded version of CookiePlus, showcasing the group’s sophistication in their malicious activities.
CookieTime utilizes diverse loading techniques like DLL side-loading and service execution to maintain persistence and evade detection by security systems. By leveraging trusted services such as ssh-agent and employing DLL side-loading with malicious DLLs, the attackers ensured that their operations remained stealthy and difficult to detect.
Furthermore, the introduction of CookiePlus, a new plugin-based malware, provides the Lazarus Group with enhanced capabilities for delivering additional payloads from the C2 server. CookiePlus uses encryption techniques like ChaCha20 to secure the payloads, which can be either DLLs or shellcodes. This malware underscores the group’s commitment to developing advanced tools to improve their attack strategies and bypass security defenses.
In a notable shift, the Lazarus Group has started using compromised WordPress servers as C2s for their malicious activities. This change, coupled with the introduction of modular malware like CookiePlus, highlights the group’s ongoing efforts to enhance their cyber capabilities and evade detection by security systems.
Overall, the evolving tactics and advanced tools used by the Lazarus Group in “Operation DreamJob” underscore the persistent threat posed by sophisticated cybercriminals. Organizations operating in critical sectors must remain vigilant and implement robust security measures to protect their systems and data from such targeted attacks.