The Lazarus Group, a notorious hacking collective tied to North Korea (DPRK), has been identified using a "complex infection chain" to target at least two employees of a nuclear-related organization during January 2024.
These attacks culminated in the deployment of CookiePlus, a newly discovered modular backdoor. This operation is part of the long-running cyber-espionage campaign Operation Dream Job—also referred to as NukeSped by cybersecurity firm Kaspersky—which has been active since at least 2020, when it was initially uncovered by ClearSky.
The Lazarus Group typically lures victims by impersonating recruiters and offering lucrative job opportunities. These tactics often target employees in sectors such as defense, aerospace, cryptocurrency, and other critical industries, leading to malware infections on their systems.
Sophisticated Infection Chain
According to Kaspersky, the group uses two primary methods under their DeathNote campaign to compromise targets:
- Sending malicious documents or trojanized PDF viewers that display fake job descriptions.
- Distributing trojanized remote access tools, such as VNC or PuTTY, to manipulate victims into connecting to a specific server for skills assessments.
The latest wave of attacks focused on the second method. The adversaries delivered a trojanized VNC utility disguised as a legitimate assessment tool for IT job applicants, specifically targeting employees of aerospace and defense companies.
Lazarus Group's Revamped Approach
Kaspersky's analysis revealed that Lazarus delivered an archive file containing a trojanized TightVNC app named "AmazonVNC.exe" to at least two employees (Host A and Host B) within the same organization. A month later, the attackers escalated their operations against Host A.
The malware was distributed via ISO images and ZIP files. In some cases, the attackers used legitimate versions of UltraVNC to sideload a malicious DLL called "vnclang.dll." This DLL serves as a loader for the MISTPEN backdoor, previously identified by Mandiant in September 2024 and tracked as part of activity cluster UNC2970.
Modular Malware Arsenal
The attack chain also deployed CookieTime, a malware first observed in 2020, which communicates with command-and-control (C2) servers using encoded cookie values. The attackers moved laterally from Host A to another system (Host C) to deliver multiple payloads between February and June 2024. These included:
- LPEClient: Profiles compromised hosts.
- ServiceChanger: Disables legitimate services and sideloads rogue DLLs.
- Charamel Loader: Decrypts and loads internal resources, including CookiePlus, CookieTime, and ForestTiger.
- CookiePlus: A plugin-based malware used as a downloader for additional payloads.
CookiePlus was disguised as an open-source Notepad++ plugin called ComparePlus but was later found to be based on a project named DirectX-Wrappers. This malware retrieves encrypted payloads from the C2 server, which it decodes to execute shellcodes or DLLs, allowing for system profiling and stealthy operation.
Behavioral Overlaps with MISTPEN
Researchers believe CookiePlus may be a successor to MISTPEN, citing similarities in their modular design and disguise tactics as Notepad++ plugins. The development of new malware like CookiePlus highlights Lazarus Group's ongoing efforts to improve their tools and evade detection.
DPRK's Expanding Cybercrime Activities
These findings coincide with a report from blockchain intelligence firm Chainalysis, revealing that North Korean hackers stole $1.34 billion across 47 cryptocurrency hacks in 2024, a significant increase from $660.50 million in 2023.
One notable incident was the May 2024 breach of Japan's DMM Bitcoin exchange, resulting in a $305 million loss.