Cyber Crime
Lazarus Group’s DeathNote Campaign Targets Nuclear Facilities with Fake Job Scams
The infamous Lazarus Group, known for its sophisticated cyberattacks, has evolved its tactics in a new wave of assaults targeting employees in nuclear-related organizations. This campaign, part of the DeathNote series, also referred to as “Operation DreamJob,” showcases a refined infection chain that combines old and new malware to enhance stealth and persistence.
A Strategic Approach to Targeting
Lazarus continues to exploit fake job opportunities to infiltrate its victims. Historically, the group has used malicious documents or trojanized tools like VNC or PuTTY to lure targets. In this latest campaign, Lazarus distributed at least three malicious archive files disguised as skill assessments for IT roles at prominent defense and aerospace firms.
Two employees from the same nuclear organization were targeted with ISO files containing trojanized VNC software. These files, cleverly bypassing detection, included malicious executables like AmazonVNC.exe and a readme.txt file with connection instructions. Upon execution, these files deployed a downloader named Ranid Downloader to initiate further attacks.
ALSO READ: FCRF Award for Excellence in Cybercrime Journalism-
[Nominate a Journalist]
Evolved Malware Arsenal
The infection chain revealed the deployment of multiple malware strains, including MISTPEN, RollMid, and LPEClient. MISTPEN acted as a loader for additional payloads, fetching new malware from command-and-control (C2) servers. RollMid and LPEClient, relatively new Lazarus tools, were used to escalate the attack.
Notably, the campaign featured the reappearance of CookieTime malware. Previously known for executing commands from C2 servers, CookieTime now downloads additional payloads, enabling lateral movement within networks. One such payload was CookiePlus, a newly discovered modular malware masquerading as a Notepad++ plugin.
CookiePlus: A Dangerous New Tool
CookiePlus represents a significant advancement in Lazarus’s capabilities. Acting as a downloader, it supports various execution methods and transmits minimal information to its C2 servers. The malware uses sophisticated encryption, including RSA and ChaCha20, to protect its communications and payloads.
CookiePlus can load DLLs or execute shellcode, continuously downloading new payloads until the C2 server ceases communication. Its modular design allows for adaptability, with plugins performing tasks like data exfiltration and lateral movement. The malware’s disguise as legitimate tools like DirectX-Wrappers underscores Lazarus’s efforts to evade detection.
ALSO READ: FCRF Awards for ‘Women in Cyber’- [Nominate for Women in Cyber Award]
Infrastructure and Persistence
The group leveraged compromised WordPress servers as C2 infrastructure, hosting PHP-based web services across various regions. This decentralized setup makes it challenging for defenders to track and block their activities.
A Constantly Evolving Threat
The introduction of CookiePlus signals a shift in Lazarus’s strategy, emphasizing modular malware frameworks to improve attack efficiency. While the group’s tactics remain consistent, their arsenal is under active development, posing an ever-increasing challenge for cybersecurity defenders.
This campaign highlights the need for robust defenses and vigilance in sectors like nuclear energy, aerospace, and defense. As Lazarus continues to refine its methods, organizations must stay ahead of the curve to mitigate the risks posed by this relentless adversary.
