North Korean Lazarus Hackers Target Nuclear Workers
- Kaspersky recently discovered new additions to the Lazarus DreamJob campaign
- The criminals targeted two people who worked at the same nuclear company
- In the attack, they used updated malware to gain access
Recently, the infamous Lazarus Group, a threat actor linked to the North Korean government, was observed targeting IT professionals within the same nuclear organization with new types of malware.
These attacks appear to be a continuation of a campaign that first launched in 2020 called Operation DreamJob (AKA Deathnote), where the attackers would create fake jobs and offer these dreamy positions to people working in defense, aerospace , cryptocurrency and other global sectors. , all over the world.
They would reach out via social media such as LinkedIn or X, and conduct multiple rounds of ‘interviews’. At any point during these interviews, victims were either dropped a piece of malware or trojanized remote access tools.
CookieTime and CookiePlus
The end goal of this campaign is to steal sensitive information or cryptocurrency. Among other things, Lazarus has managed to steal approximately $600 million from a crypto company in 2022.
As Kaspersky explained in his latest article, in this case Lazarus targeted two individuals with malicious remote access tools. They then used the tools to drop a piece of malware called CookieTime, which acted as a backdoor, allowing the attackers to execute various commands on the compromised endpoint.
This gave them the ability to move laterally across the network and download several additional malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.
Kaspersky says that CookiePlus is particularly interesting because it is a new plugin-based malicious program discovered during the latest research. It was loaded by both ServiceChanger and Charamel Loader, with variants running differently depending on the loader. Because CookiePlus acts as a downloader, its functionality is limited and it sends minimal information.
The attacks took place in January 2024, meaning Lazarus remains a major threat from North Korea.
Via The hacker news