North Korean Hackers Deploy New CookiePlus Malware in Nuclear Industry Espionage

North Korean Hackers Deploy New CookiePlus Malware in Nuclear Industry Espionage

North Korean Hackers Target Nuclear Organization with Sophisticated Malware Campaign

The notorious Lazarus Group, linked to North Korea, has launched a sophisticated cyber espionage campaign targeting employees of a nuclear-related organization in January 2024. The attack, part of “Operation Dream Job,” resulted in the deployment of a new modular backdoor called CookiePlus.

Key Developments:
– Two employees were targeted within one month using complex infection chains
– Attackers posed as recruiters from aerospace and defense companies
– Malicious VNC applications were used as initial attack vectors
– New backdoor “CookiePlus” discovered, likely succeeding previous MISTPEN malware

Attack Methodology:
1. Distribution of trojanized VNC utilities (AmazonVNC.exe and UltraVNC)
2. Deployment of MISTPEN backdoor via malicious DLL
3. Installation of additional payloads including:
– LPEClient for system profiling
– ServiceChanger for DLL side-loading
– Charamel Loader for payload deployment
– CookiePlus for command execution and data extraction

Financial Impact:
According to Chainalysis, North Korean hackers have significantly increased their cryptocurrency theft:
– 2024: $1.34 billion stolen across 47 hacks
– 2023: $660.50 million stolen
– Notable 2024 incident: DMM Bitcoin exchange breach ($305 million)

The attack demonstrates Lazarus Group’s continued evolution in cyber capabilities and their focus on high-value targets in nuclear, defense, and cryptocurrency sectors.

Share This Article