A threat actor group known by the name Lazarus, who is believed to have links with the Democratic People’s Republic of Korea, has targeted at least two employees of a nuclear-related organization. The threat actors approach their targets by novel methods and aim to infect their systems through a new modular backdoor called CookiePlus. The CookiePlus backdoor is a part of the long-run cyber espionage campaign under the tag Operation Dream Job and is also tracked by Kaspersky as NukeSped.
The attackers mostly target employees of organizations engaged in defense, aerospace, etc., with lucrative job offers and related documents that contain the embedded payloads for infecting their systems. The other method followed by the Lazarus group is by convincing their targets to connect to trojan-infected remote access tools such as VNC or Putty so asto take some skill assessment over a specific server.
The recent activity of the group also offered their targets to take up a skill assessment to secure a job at a reputed organization, and they were asked to use VNC, which was infected by a trojan. The group successfully delivered the first payload to two of its targets and, a month later, again attempted a more intense attack on one of them. The VNC apps, a trojanized version of TightVNC called “AmazonVNC.exe,” is believed to have been distributed as both ISO images and ZIP files. In other cases, a legitimate version of UltraVNC was used to sideload a malicious DLL packed within the ZIP archive. The DLL (“vnclang.dll”) serves as a loader for a backdoor dubbed MISTPEN, which was uncovered by Google-owned Mandiant in September 2024. It’s tracking the activity cluster under the moniker UNC2970. MISTPEN, for its part, has been found to deliver two additional payloads codenamed Rollmid and a new variant of LPEClient.
The investigation revealed that the threat actor moved laterally from one host to another, where CookieTime was used to drop various payloads between February and June 2024. CookiePlus derives its name from the fact that it was disguised as an open-source Notepad++ plugin called ComparePlus. The malware serves as a downloader to retrieve a Base64-encoded, RSA-encrypted payload from the C2 server, which is then decoded and deciphered to execute three different shellcodes or a DLL. The shellcodes are equipped with features to collect system information and make the main CookiePlus module sleep for a certain number of minutes.
The Lazarus group seems to be improvising their attack toolsets and is constantly working to stay undetected by different security products. The sophisticated attacks are hard to detect by end users, and hence, the security vendors need to stop such attacks using their products because these attacks are not only after the users’ sensitive information but are even targeting national security.
