The Lazarus Group has been conducting the DeathNote campaign (Operation DreamJob) to distribute malware by exploiting fake job opportunities by targeting employees in various sectors, including defense, aerospace, and cryptocurrency, aiming to compromise critical systems and steal sensitive data.
It employed a multi-stage attack, leveraging a complex infection chain involving downloaders, loaders, and backdoors to target employees of a nuclear-related organization, demonstrating sophisticated delivery and persistence techniques.
By leveraging supply chain attacks within the DeathNote campaign, primarily through malicious document delivery or trojanized remote access tools, to infiltrate target systems and execute cyber operations.
It initially delivered trojanized VNC utilities disguised as IT assessment archives. Subsequent attacks targeted specific individuals within organizations, potentially exploiting initial footholds to gain deeper access.
Lazarus Group used compressed ISO files to evade detection, likely delivered through Chromium-based browsers, as the initial attack involved a malicious VNC, followed by a legitimate VNC viewer and a malicious DLL.
The group distributed trojanized VNC tools (AmazonVNC.exe and vnclang.dll) disguised as legitimate software to deploy further malware (Ranid Downloader, MISTPEN, RollMid, LPEClient) on target machines.
CookieTime malware, delivered via SQLExplorer service post LPEClient installation, initially received C2 commands but has evolved to download payloads, which laterally moved to Host C, where it downloaded and executed multiple malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated CookiePlus, using Charamel Loader to decrypt and load payloads.
The Lazarus group’s ServiceChanger malware exploits legitimate services like ssh-agent, replacing their original DLLs with malicious ones, which is known as DLL sideloading and allows the malware to execute with elevated privileges.
Similarly, the CookieTime malware employs diverse loading methods, including DLL side-loading and service installation, to ensure persistent and stealthy execution on compromised systems.
It uses a new modular downloader, CookiePlus, disguised as open-source plugins, which communicates with the C2 server to potentially identify the sandbox environment through configuration file path offset.
The malware encrypts data using RSA and Base64, sends it to a C2 server, and receives an additional encrypted payload, which decodes the payload, identifies its type (DLL or shellcode) based on a specific flag, and decrypts the payload using a 32-byte key and the provided nonce.
According to Secure List, CookiePlus, the successor to MISTPEN, uses ChaCha20 encryption to communicate with the C2 server and fetches shellcode disguised as DLLs and executes them to collect system info, control sleep behavior, and modify execution time.
The Lazarus Group has adopted a new modular malware framework, CookiePlus, which can act as a downloader, which allows the group to evade detection and potentially deploy additional malicious payloads, making it a significant threat for defenders.