- Kaspersky not too long ago found new additions to the Lazarus DreamJob marketing campaign
- The criminalss focused two individuals working in the identical nuclear-related agency
- Within the assault, they used up to date malware to attempt to acquire access
The notorious Lazarus Group, a risk actor linked to the North Korean authorities, was not too long ago noticed focusing on IT professionals throughout the identical nuclear-related group with new malware strains.
These assaults appear to be a continuation of a marketing campaign first kicked off in 2020, known as Operation DreamJob (AKA Deathnote), have been the attackers would create faux jobs and supply these dreamy positions to individuals working in protection, aerospace, cryptocurrency, and different international sectors, all over the world.
They might attain out by way of social media reminiscent of LinkedIn or X, and run a number of rounds of “interviews”. At any level throughout these interviews, the victims could be both dropped a bit of malware, or trojanized remote access instruments.
CookieTime and CookiePlus
The tip aim of this marketing campaign is to both steal delicate data, or cryptocurrency. Lazarus has, amongst different issues, managed to steal roughly $600 million from a crypto firm again in 2022.
As Kaspersky defined in its newest writeup, on this case, Lazarus focused two people with malicious remote entry instruments. They then used the instruments to drop a bit of malware known as CookieTime, which acted as a backdoor, permitting the attackers to run completely different instructions on the compromised endpoint.
This gave them the power to maneuver laterally throughout the community and obtain a number of further malware strains, reminiscent of LPEClient, Charamel Loader, ServiceChanger, and an up to date model of CookiePlus.
Kaspersky says CookiePlus is especially attention-grabbing, since it is a brand new plugin-based computer virus, found throughout the newest investigation. It was loaded by each ServiceChanger and Charamel Loader, with variants being executed in a different way, relying on the loader. Since CookiePlus acts as a downloader, its performance is restricted, and it transmits minimal data.
The assaults passed off in January 2024, which means Lazarus stays a significant risk popping out of North Korea.
Through The Hacker News
You may additionally like
Source link