- Kaspersky recently discovered new additions to the Lazarus DreamJob campaign
- The criminals targeted two people who worked in the same company related to nuclear energy.
- In the attack, they used updated malware to try to gain access.
The infamous Lazarus Group, a threat actor linked to the North Korean government, was recently observed attacking IT professionals within the same nuclear-related organization with new strains of malware.
These attacks appear to be a continuation of a campaign first started in 2020, called Operation DreamJob (also known as Deathnote), where attackers would create fake jobs and offer these dream positions to people working in defense, aerospace, cryptocurrency, and others. global sectors. , all over the world.
They would communicate through social networks like LinkedIn or X and conduct multiple rounds of “interviews.” At any time during these interviews, victims were dropped malware or Trojanized remote access tools.
CookieTime vs CookiePlus
The ultimate goal of this campaign is to steal confidential information or cryptocurrencies. Lazarus, among other things, managed to steal approximately $600 million from a crypto company in 2022.
As Kaspersky explained in its latest article, in this case, Lazarus targeted two people with malicious remote access tools. They then used the tools to launch malware called CookieTime, which acted as a backdoor, allowing attackers to execute different commands on the compromised endpoint.
This gave them the ability to move laterally across the network and download several additional malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.
Kaspersky says CookiePlus is particularly interesting as it is a new plug-in-based malware discovered during the most recent investigation. It was loaded by both ServiceChanger and Charamel Loader, and variants ran differently, depending on the loader. Since CookiePlus acts as a downloader, its functionality is limited and transmits minimal information.
The attacks took place in January 2024, meaning that Lazarus remains a major threat from North Korea.
Through Hacker News
