- Kaspersky recently discovered new additions to the Lazarus DreamJob campaign
- The criminalss targeted two people working in the same nuclear-related firm
- In the attack, they used updated malware to try and gain access
The infamous Lazarus Group, a threat actor linked to the North Korean government, was recently observed targeting IT professionals within the same nuclear-related organization with new malware strains.
These attacks seem to be a continuation of a campaign first kicked off in 2020, called Operation DreamJob (AKA Deathnote), were the attackers would create fake jobs and offer these dreamy positions to people working in defense, aerospace, cryptocurrency, and other global sectors, around the world.
They would reach out via social media such as LinkedIn or X, and run multiple rounds of “interviews”. At any point during these interviews, the victims would be either dropped a piece of malware, or trojanized remote access tools.
CookieTime and CookiePlus
The end goal of this campaign is to either steal sensitive information, or cryptocurrency. Lazarus has, among other things, managed to steal roughly $600 million from a crypto company back in 2022.
As Kaspersky explained in its latest writeup, in this case, Lazarus targeted two individuals with malicious remote access tools. They then used the tools to drop a piece of malware called CookieTime, which acted as a backdoor, allowing the attackers to run different commands on the compromised endpoint.
This gave them the ability to move laterally across the network and download several additional malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.
Kaspersky says CookiePlus is particularly interesting, since it is a new plugin-based malicious program, discovered during the most recent investigation. It was loaded by both ServiceChanger and Charamel Loader, with variants being executed differently, depending on the loader. Since CookiePlus acts as a downloader, its functionality is limited, and it transmits minimal information.
The attacks took place in January 2024, meaning Lazarus remains a major threat coming out of North Korea.
Via The Hacker News
