Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed “Operation DreamJob,” to target employees in critical sectors like nuclear energy, which involves distributing malicious archive files disguised as legitimate job offers. 

Once executed, these files unleash a multi-stage infection chain, comprising a downloader, loader, and backdoor, allowing the threat actor to establish persistent access to compromised systems, potentially enabling data theft, espionage, or disruptive attacks.

Lazarus, known for supply chain attacks, has evolved its tactics, as in a recent campaign, they sent trojanized VNC utilities disguised as skills assessment archives. 

After initial compromise, they intensified attacks on specific targets, which highlights the group’s adaptability and underscores the need for vigilant security practices, especially against evolving threat actors.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The group used ISO files (instead of easily detectable ZIP) to deliver a trojanized TightVNC (AmazonVNC.exe) disguised as a legitimate VNC viewer, which generated an XOR key based on a provided IP address to decrypt downloader Ranid stored within the VNC executable. 

In another case, Lazarus used a ZIP archive containing a legitimate vncviewer.exe alongside a malicious vnclang.dll (MISTPEN loader). vnclang.dll downloaded additional payloads, including the recently discovered RollMid and a new LPEClient variant.  

The Lazarus group utilized CookieTime malware as a versatile tool for lateral movement and payload delivery. Initially, CookieTime directly received commands from a C2 server. 

However, it evolved to download and execute various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus. 

CookieTime leverages diverse loading techniques, such as DLL side-loading and service execution, to maintain persistence and evade detection.

By exploiting legitimate services like ssh-agent and leveraging DLL side-loading with malicious DLLs, the attackers ensured stealthy and persistent operations.

CookiePlus, a new plugin-based malware, was discovered, which can be loaded by either ServiceChanger or Charamel Loader and downloads additional payloads from the C2 server after initial communication. 

The payloads are encrypted with ChaCha20 and can be either DLLs or shellcodes. CookiePlus uses a 32-byte data array as a key to decrypt the payloads, where the type of payload is determined by a flag, and if it’s a DLL, CookiePlus will load it into memory. 

If it’s a shellcode, CookiePlus will grant it execute permission before execution, and the execution result is then encrypted and sent back to the C2 server. CookiePlus is likely the successor to MISTPEN based on similar functionalities and plugin usage. 

According to Secure List, the Lazarus group has recently employed a new tactic, utilizing compromised WordPress servers as C2s for their malicious activities. 

This shift, coupled with the introduction of modular malware like CookiePlus, indicates the group’s ongoing efforts to enhance their arsenal and bypass security measures. 

CookiePlus’s ability to function as a downloader further complicates threat detection and response, as it can potentially deliver various payloads, including additional malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free