Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide


The Lazarus Group has recently employed a sophisticated attack, dubbed “Operation DreamJob,” to target employees in critical sectors like nuclear energy, which involves distributing malicious archive files disguised as legitimate job offers. 

Once executed, these files unleash a multi-stage infection chain, comprising a downloader, loader, and backdoor, allowing the threat actor to establish persistent access to compromised systems, potentially enabling data theft, espionage, or disruptive attacks.

Lazarus, known for supply chain attacks, has evolved its tactics, as in a recent campaign, they sent trojanized VNC utilities disguised as skills assessment archives. 

– Advertisement –
SIEM as a Service
Malicious files created on the victims’ hostsMalicious files created on the victims’ hosts
Malicious files created on the victims’ hosts

After initial compromise, they intensified attacks on specific targets, which highlights the group’s adaptability and underscores the need for vigilant security practices, especially against evolving threat actors.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The group used ISO files (instead of easily detectable ZIP) to deliver a trojanized TightVNC (AmazonVNC.exe) disguised as a legitimate VNC viewer, which generated an XOR key based on a provided IP address to decrypt downloader Ranid stored within the VNC executable. 

In another case, Lazarus used a ZIP archive containing a legitimate vncviewer.exe alongside a malicious vnclang.dll (MISTPEN loader). vnclang.dll downloaded additional payloads, including the recently discovered RollMid and a new LPEClient variant.  

Malicious AmazonVNC.exe Malicious AmazonVNC.exe 
Malicious AmazonVNC.exe 

The Lazarus group utilized CookieTime malware as a versatile tool for lateral movement and payload delivery. Initially, CookieTime directly received commands from a C2 server. 

However, it evolved to download and execute various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus. 

CookieTime leverages diverse loading techniques, such as DLL side-loading and service execution, to maintain persistence and evade detection.

By exploiting legitimate services like ssh-agent and leveraging DLL side-loading with malicious DLLs, the attackers ensured stealthy and persistent operations.

Overall malware-to-malware flowchartOverall malware-to-malware flowchart
Overall malware-to-malware flowchart

CookiePlus, a new plugin-based malware, was discovered, which can be loaded by either ServiceChanger or Charamel Loader and downloads additional payloads from the C2 server after initial communication. 

The payloads are encrypted with ChaCha20 and can be either DLLs or shellcodes. CookiePlus uses a 32-byte data array as a key to decrypt the payloads, where the type of payload is determined by a flag, and if it’s a DLL, CookiePlus will load it into memory. 

If it’s a shellcode, CookiePlus will grant it execute permission before execution, and the execution result is then encrypted and sent back to the C2 server. CookiePlus is likely the successor to MISTPEN based on similar functionalities and plugin usage. 

CookiePlus C2 communication processCookiePlus C2 communication process
CookiePlus C2 communication process

According to Secure List, the Lazarus group has recently employed a new tactic, utilizing compromised WordPress servers as C2s for their malicious activities. 

This shift, coupled with the introduction of modular malware like CookiePlus, indicates the group’s ongoing efforts to enhance their arsenal and bypass security measures. 

CookiePlus’s ability to function as a downloader further complicates threat detection and response, as it can potentially deliver various payloads, including additional malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link