Lazarus Hackers Unleash VNC Malware in Global Attacks

The Lazarus Group has been conducting the DeathNote campaign (Operation DreamJob) to distribute malware by exploiting fake job opportunities by targeting employees in various sectors, including defense, aerospace, and cryptocurrency, aiming to compromise critical systems and steal sensitive data.

It employed a multi-stage attack, leveraging a complex infection chain involving downloaders, loaders, and backdoors to target employees of a nuclear-related organization, demonstrating sophisticated delivery and persistence techniques.

By leveraging supply chain attacks within the DeathNote campaign, primarily through malicious document delivery or trojanized remote access tools, to infiltrate target systems and execute cyber operations.

Malicious files created on the victims’ hosts

It initially delivered trojanized VNC utilities disguised as IT assessment archives. Subsequent attacks targeted specific individuals within organizations, potentially exploiting initial footholds to gain deeper access. 

Lazarus Group used compressed ISO files to evade detection, likely delivered through Chromium-based browsers, as the initial attack involved a malicious VNC, followed by a legitimate VNC viewer and a malicious DLL.

The group distributed trojanized VNC tools (AmazonVNC.exe and vnclang.dll) disguised as legitimate software to deploy further malware (Ranid Downloader, MISTPEN, RollMid, LPEClient) on target machines. 

Legitimate vncviewer.exe 

CookieTime malware, delivered via SQLExplorer service post LPEClient installation, initially received C2 commands but has evolved to download payloads, which laterally moved to Host C, where it downloaded and executed multiple malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated CookiePlus, using Charamel Loader to decrypt and load payloads.

The Lazarus group’s ServiceChanger malware exploits legitimate services like ssh-agent, replacing their original DLLs with malicious ones, which is known as DLL sideloading and allows the malware to execute with elevated privileges

Similarly, the CookieTime malware employs diverse loading methods, including DLL side-loading and service installation, to ensure persistent and stealthy execution on compromised systems. 

Malicious AmazonVNC.exe 

It uses a new modular downloader, CookiePlus, disguised as open-source plugins, which communicates with the C2 server to potentially identify the sandbox environment through configuration file path offset. 

The malware encrypts data using RSA and Base64, sends it to a C2 server, and receives an additional encrypted payload, which decodes the payload, identifies its type (DLL or shellcode) based on a specific flag, and decrypts the payload using a 32-byte key and the provided nonce.

CookiePlus C2 communication process

According to Secure List, CookiePlus, the successor to MISTPEN, uses ChaCha20 encryption to communicate with the C2 server and fetches shellcode disguised as DLLs and executes them to collect system info, control sleep behavior, and modify execution time. 

The Lazarus Group has adopted a new modular malware framework, CookiePlus, which can act as a downloader, which allows the group to evade detection and potentially deploy additional malicious payloads, making it a significant threat for defenders.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here