Cyber Security News

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed “Operation DreamJob,” to target employees in critical sectors like nuclear energy, which involves distributing malicious archive files disguised as legitimate job offers. 

Once executed, these files unleash a multi-stage infection chain, comprising a downloader, loader, and backdoor, allowing the threat actor to establish persistent access to compromised systems, potentially enabling data theft, espionage, or disruptive attacks.

Lazarus, known for supply chain attacks, has evolved its tactics, as in a recent campaign, they sent trojanized VNC utilities disguised as skills assessment archives. 

Malicious files created on the victims’ hosts

After initial compromise, they intensified attacks on specific targets, which highlights the group’s adaptability and underscores the need for vigilant security practices, especially against evolving threat actors.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The group used ISO files (instead of easily detectable ZIP) to deliver a trojanized TightVNC (AmazonVNC.exe) disguised as a legitimate VNC viewer, which generated an XOR key based on a provided IP address to decrypt downloader Ranid stored within the VNC executable. 

In another case, Lazarus used a ZIP archive containing a legitimate vncviewer.exe alongside a malicious vnclang.dll (MISTPEN loader). vnclang.dll downloaded additional payloads, including the recently discovered RollMid and a new LPEClient variant.  

Malicious AmazonVNC.exe

The Lazarus group utilized CookieTime malware as a versatile tool for lateral movement and payload delivery. Initially, CookieTime directly received commands from a C2 server. 

However, it evolved to download and execute various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus. 

CookieTime leverages diverse loading techniques, such as DLL side-loading and service execution, to maintain persistence and evade detection.

By exploiting legitimate services like ssh-agent and leveraging DLL side-loading with malicious DLLs, the attackers ensured stealthy and persistent operations.

Overall malware-to-malware flowchart

CookiePlus, a new plugin-based malware, was discovered, which can be loaded by either ServiceChanger or Charamel Loader and downloads additional payloads from the C2 server after initial communication. 

The payloads are encrypted with ChaCha20 and can be either DLLs or shellcodes. CookiePlus uses a 32-byte data array as a key to decrypt the payloads, where the type of payload is determined by a flag, and if it’s a DLL, CookiePlus will load it into memory. 

If it’s a shellcode, CookiePlus will grant it execute permission before execution, and the execution result is then encrypted and sent back to the C2 server. CookiePlus is likely the successor to MISTPEN based on similar functionalities and plugin usage. 

CookiePlus C2 communication process

According to Secure List, the Lazarus group has recently employed a new tactic, utilizing compromised WordPress servers as C2s for their malicious activities. 

This shift, coupled with the introduction of modular malware like CookiePlus, indicates the group’s ongoing efforts to enhance their arsenal and bypass security measures. 

CookiePlus’s ability to function as a downloader further complicates threat detection and response, as it can potentially deliver various payloads, including additional malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Recent Posts

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 hours ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 hours ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 hours ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

3 hours ago

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including DigiEver…

3 hours ago

Hackers Exploiting PLC Controllers In US Water Management System To Gain Remote Access

A joint Cybersecurity Advisory (CSA) warns of ongoing exploitation attempts by Iranian Islamic Revolutionary Guard…

3 hours ago