The Lazarus Group, an infamous threat actor linked to the Democratic People’s Republic of Korea (DPRK), has been observed leveraging a “complex infection chain” targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.
The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are part of a long-running cyber espionage campaign known as Operation Dream Job, which is also tracked as NukeSped by cybersecurity company Kaspersky. It’s known to be active since at least 2020, when it was exposed by ClearSky.
These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines.
“Lazarus is interested in carrying out supply chain attacks as part of the DeathNote campaign, but this is mostly limited to two methods: the first is by sending a malicious document or trojanized PDF viewer that displays the tailored job descriptions to the target,” the Russian firm said in an exhaustive analysis.
“The second is by distributing trojanized remote access tools such as VNC or PuTTY to convince the targets to connect to a specific server for a skills assessment.”
The latest set of attacks documented by Kaspersky involve the second method, with the adversary making use of a completely revamped infection chain delivering a trojanized VNC utility under the pretext of conducting a skills assessment for IT positions at prominent aerospace and defense companies.
It’s worth noting that Lazarus Group’s use of rogue versions of VNC apps to target nuclear engineers was previously highlighted by the company in October 2023 in its APT trends report for Q3 2023.
“Lazarus delivered the first archive file to at least two people within the same organization (we’ll call them Host A and Host B),” researchers Vasily Berdnikov and Sojun Ryu said. “After a month, they attempted more intensive attacks against the first target.”
The VNC apps, a trojanized version of TightVNC called “AmazonVNC.exe,” are believed to have been distributed in the form of both ISO images and ZIP files. In other cases, a legitimate version of UltraVNC was used to sideload a malicious DLL packed within the ZIP archive.
The DLL (“vnclang.dll”) serves as a loader for a backdoor dubbed MISTPEN, which was uncovered by Google-owned Mandiant in September 2024. It’s tracking the activity cluster under the moniker UNC2970. MISTPEN, for its part, has been found to deliver two additional payloads codenamed RollMid and a new variant of LPEClient.
Kaspersky said it also observed the CookieTime malware being deployed on Host A, although the exact method that was used to facilitate it remains unknown. First discovered by the company in September and November 2020, CookieTime is so named for its use of encoded cookie values in HTTP requests to fetch instructions from a command-and-control (C2) server.
Further investigation of the attack chain has revealed that the threat actor moved laterally from Host A to another machine (Host C), where CookieTime was again used to drop various payloads between February and June 2024, such as follows –
- LPEClient, a malware that comes fitted with capabilities to profile compromised hosts
- ServiceChanger, a malware that stops a targeted legitimate service so as to sideload a rogue DLL embedded within it using the executable via DLL side-loading
- Charamel Loader, a loader malware that decrypts and loads internal resources like CookieTime, CookiePlus, and ForestTiger
- CookiePlus, a new plugin-based malicious program that’s loaded by both ServiceChanger and Charamel Loader
“The difference between each CookiePlus loaded by Charamel Loader and by ServiceChanger is the way it is executed. The former runs as a DLL alone and includes the C2 information in its resources section,” the researchers pointed out.
“The latter fetches what is stored in a separate external file like msado.inc, meaning that CookiePlus has the capability to get a C2 list from both an internal resource and an external file. Otherwise, the behavior is the same.”
CookiePlus gets its name from the fact that it was disguised as an open-source Notepad++ plugin called ComparePlus when it was detected in the wild for the first time. In the attacks targeting the nuclear-related entity, it has been found to be based on another project named DirectX-Wrappers.
The malware serves as a downloader to retrieve a Base64-encoded, RSA-encrypted payload from the C2 server, which is then decoded and deciphered to execute three different shellcodes or a DLL. The shellcodes are equipped with features to collect system information and make the main CookiePlus module sleep for a certain number of minutes.
It’s suspected that CookiePlus is a successor to MISTPEN owing to behavioral overlaps between the two malware families, including the aspect that both have disguised themselves as Notepad++ plugins.
“Throughout its history, the Lazarus group has used only a small number of modular malware frameworks such as Mata and Gopuram Loader,” Kaspersky said. “The fact that they do introduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products.”
The findings come as blockchain intelligence firm Chainalysis revealed that threat actors affiliated with North Korea have stolen $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million in 2023. This included the May 2024 breach of Japanese cryptocurrency exchange, DMM Bitcoin, which suffered a loss of $305 million at the time.
“Unfortunately, it appears that the DPRK’s crypto attacks are becoming more frequent,” the company said. “Notably, attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits.”
