Summary:
The Lazarus Group, a North Korean state-sponsored threat actor, has been linked to sophisticated cyberattacks targeting employees of a nuclear-related organization in January 2024. These attacks used a complex infection chain culminating in the deployment of a new modular backdoor, CookiePlus. These operations are part of a longstanding espionage campaign known as Operation Dream Job or NukeSped, which has been active since at least 2020. Lazarus frequently targets sectors such as defense, aerospace, and cryptocurrency by luring victims with fake job opportunities. Recent attacks employed trojanized tools, such as modified VNC utilities, under the guise of IT skills assessments for aerospace and defense roles. These tools delivered malware like AmazonVNC.exe, which sideloaded a backdoor called MISTPEN to execute further payloads, including RollMid and an enhanced variant of LPEClient.

One targeted organization saw CookieTime malware used to move laterally between systems, deploying additional payloads like ServiceChanger and the Charamel Loader, which in turn activated CookiePlus. This malware mimicked an open-source Notepad++ plugin and served as a downloader for encrypted payloads from command-and-control (C2) servers. Its capabilities included collecting system data and disguising its activities to evade detection.Security Officer Comments:

CookiePlus, which may succeed MISTPEN, exemplifies Lazarus’s continual refinement of modular malware frameworks. Historically, Lazarus relied on tools like Mata and Gopuram Loader, but the introduction of CookiePlus indicates their effort to enhance their tools and bypass security defenses. These cyberattacks occurred amidst rising North Korean cryptocurrency thefts, with Lazarus-linked operations stealing $1.34 billion across 47 hacks in 2024—more than double the amount stolen in 2023.

Suggested Corrections:

IOCs:
https://securelist.com/lazarus-new-malware/115059/

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2024/12/lazarus-group-spotted-targeting-nuclear.html

https://securelist.com/lazarus-new-malware/115059/