Tuesday, April 1, 2025
HomeCyber AttackLazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

Published on

SIEM as a Service

Follow Us on Google News

The Lazarus Group has recently employed a sophisticated attack, dubbed “Operation DreamJob,” to target employees in critical sectors like nuclear energy, which involves distributing malicious archive files disguised as legitimate job offers. 

Once executed, these files unleash a multi-stage infection chain, comprising a downloader, loader, and backdoor, allowing the threat actor to establish persistent access to compromised systems, potentially enabling data theft, espionage, or disruptive attacks.

Lazarus, known for supply chain attacks, has evolved its tactics, as in a recent campaign, they sent trojanized VNC utilities disguised as skills assessment archives. 

Malicious files created on the victims’ hosts
Malicious files created on the victims’ hosts

After initial compromise, they intensified attacks on specific targets, which highlights the group’s adaptability and underscores the need for vigilant security practices, especially against evolving threat actors.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The group used ISO files (instead of easily detectable ZIP) to deliver a trojanized TightVNC (AmazonVNC.exe) disguised as a legitimate VNC viewer, which generated an XOR key based on a provided IP address to decrypt downloader Ranid stored within the VNC executable. 

In another case, Lazarus used a ZIP archive containing a legitimate vncviewer.exe alongside a malicious vnclang.dll (MISTPEN loader). vnclang.dll downloaded additional payloads, including the recently discovered RollMid and a new LPEClient variant.  

Malicious AmazonVNC.exe 
Malicious AmazonVNC.exe 

The Lazarus group utilized CookieTime malware as a versatile tool for lateral movement and payload delivery. Initially, CookieTime directly received commands from a C2 server. 

However, it evolved to download and execute various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus. 

CookieTime leverages diverse loading techniques, such as DLL side-loading and service execution, to maintain persistence and evade detection.

By exploiting legitimate services like ssh-agent and leveraging DLL side-loading with malicious DLLs, the attackers ensured stealthy and persistent operations.

Overall malware-to-malware flowchart
Overall malware-to-malware flowchart

CookiePlus, a new plugin-based malware, was discovered, which can be loaded by either ServiceChanger or Charamel Loader and downloads additional payloads from the C2 server after initial communication. 

The payloads are encrypted with ChaCha20 and can be either DLLs or shellcodes. CookiePlus uses a 32-byte data array as a key to decrypt the payloads, where the type of payload is determined by a flag, and if it’s a DLL, CookiePlus will load it into memory. 

If it’s a shellcode, CookiePlus will grant it execute permission before execution, and the execution result is then encrypted and sent back to the C2 server. CookiePlus is likely the successor to MISTPEN based on similar functionalities and plugin usage. 

CookiePlus C2 communication process
CookiePlus C2 communication process

According to Secure List, the Lazarus group has recently employed a new tactic, utilizing compromised WordPress servers as C2s for their malicious activities. 

This shift, coupled with the introduction of modular malware like CookiePlus, indicates the group’s ongoing efforts to enhance their arsenal and bypass security measures. 

CookiePlus’s ability to function as a downloader further complicates threat detection and response, as it can potentially deliver various payloads, including additional malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Massive 400GB X (Twitter) Data Leak Surfaces on Hacker Forums

A colossal 400GB trove containing data from 2.873 billion X (formerly Twitter) users has...

PortSwigger Launches Burp AI to Enhance Penetration Testing with AI

PortSwigger, the makers of Burp Suite, has taken a giant leap forward in the...

Chord Specialty Dental Partners Data Breach Exposes Customer Personal Data

Chord Specialty Dental Partners is under scrutiny after revealing a data breach that compromised...

Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Massive 400GB X (Twitter) Data Leak Surfaces on Hacker Forums

A colossal 400GB trove containing data from 2.873 billion X (formerly Twitter) users has...

PortSwigger Launches Burp AI to Enhance Penetration Testing with AI

PortSwigger, the makers of Burp Suite, has taken a giant leap forward in the...

Chord Specialty Dental Partners Data Breach Exposes Customer Personal Data

Chord Specialty Dental Partners is under scrutiny after revealing a data breach that compromised...