Full Report
The Lazarus Group, an infamous threat actor linked to the Democratic People's Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Attribution:** Linked to the Democratic People's Republic of Korea (DPRK).
* **Known Aliases/Associations:** Operation Dream Job, NukeSped (tracked by Kaspersky), UNC2970 (tracked by Mandiant).
## Activity Summary
Lazarus Group executed a complex infection chain targeting at least two employees of an unnamed nuclear-related organization in January 2024. This activity is part of the long-running cyber espionage campaign, Operation Dream Job (NukeSped).
The attack leveraged the second method of their DeathNote campaign: distributing trojanized remote access tools (VNC) under the pretext of skills assessment interviews for IT positions at aerospace and defense companies.
The initial infection involved trojanized VNC applications (like "AmazonVNC.exe," a modified TightVNC) delivered via ISO or ZIP files. In some cases, a legitimate UltraVNC was used to sideload a malicious DLL ("vnclang.dll") which loaded the MISTPEN backdoor.
Later activity between February and June 2024 showed lateral movement from Host A to Host C, where various payloads, including CookieTime, were dropped.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Social engineering targeting employees with lucrative job offers; distribution of trojanized remote access tools (VNC) for skills assessments; delivery via malicious documents or trojanized PDF viewers (mentioned as an alternate method).
- **Execution/Persistence:** Sideloading malicious DLLs using legitimate executables (e.g., "vnclang.dll" sideloaded via UltraVNC executable).
- **Lateral Movement:** Observed moving from an initial host (Host A) to another machine (Host C).
- **Malware Staging/Loading:** Use of loaders such as Charamel Loader (decrypts and loads internal resources) and ServiceChanger (stops a service to sideload a rogue DLL).
- **Modular Payloads:** Deployment of a modular backdoor named CookiePlus, and use of MISTPEN.
## Targeting
* **Sectors:** Nuclear-related organizations, Aerospace and Defense, Developers, Cryptocurrency, Global sectors.
* **Geography:** Not explicitly detailed for the latest incident, but activity is historically global.
* **Victims:** At least two employees within an unnamed nuclear-related organization in January 2024; IT positions at prominent aerospace and defense companies targeted via social engineering.
## Tools & Infrastructure
* **Malware Families Used:**
* **CookiePlus:** New modular backdoor, suspected successor to MISTPEN, loaded by ServiceChanger and Charamel Loader. Based on the DirectX-Wrappers project.
* **MISTPEN:** Backdoor uncovered by Mandiant (UNC2970), which delivered RollMid and LPEClient.
* **CookieTime:** Malware using encoded cookie values in HTTP requests to fetch C2 instructions (Active since 2020).
* **LPEClient:** Malware used for profiling compromised hosts.
* **ServiceChanger:** Malware designed to stop a legitimate service to allow DLL side-loading.
* **Charamel Loader:** Loader that decrypts and loads internal resources including CookieTime, CookiePlus, and ForestTiger.
* **RollMid:** Additional payload delivered by MISTPEN.
* **Infrastructure:** C2 communication utilized by CookieTime involved encoded cookie values in HTTP requests. CookiePlus retrieves its payload via Base64-encoded, RSA-encrypted data from the C2 server.
## Implications
Lazarus Group continues to evolve its arsenal, demonstrated by the introduction of the modular CookiePlus malware, indicating efforts to constantly improve infection chains and evade security defenses. Their focus remains on high-value targets, particularly those related to sensitive technology sectors (nuclear, defense, aerospace), often employing sophisticated social engineering techniques centered around employment lures. The observed increased scale of related DPRK crypto theft ($1.34 billion stolen in 2024) suggests high funding driving these espionage and disruptive campaigns.
## Mitigations
- Harden security controls against sophisticated social engineering attempts related to fake job offers, especially those involving requests to install or run unconventional software like VNC utilities for "skills assessments."
- Implement robust endpoint detection and response (EDR) capable of detecting DLL sideloading techniques (e.g., monitoring illegitimate loading of DLLs by legitimate executables like UltraVNC).
- Monitor and inspect suspicious network traffic patterns and C2 communications, paying attention to the use of encoded values in HTTP requests (as seen with CookieTime).
- Maintain vigilance regarding known malware families like MISTPEN and CookiePlus, ensuring detection signatures are up-to-date.
- Apply principles of Zero Trust, especially around network segmentation to limit lateral movement when initial compromises occur.