The notorious Lazarus Group, linked to North Korea, has launched a sophisticated cyber espionage campaign targeting employees of a nuclear-related organization in January 2024. The attack, part of “Operation Dream Job,” resulted in the deployment of a new modular backdoor called CookiePlus.
Key Developments:
– Two employees were targeted within one month using complex infection chains
– Attackers posed as recruiters from aerospace and defense companies
– Malicious VNC applications were used as initial attack vectors
– New backdoor “CookiePlus” discovered, likely succeeding previous MISTPEN malware
Attack Methodology:
1. Distribution of trojanized VNC utilities (AmazonVNC.exe and UltraVNC)
2. Deployment of MISTPEN backdoor via malicious DLL
3. Installation of additional payloads including:
– LPEClient for system profiling
– ServiceChanger for DLL side-loading
– Charamel Loader for payload deployment
– CookiePlus for command execution and data extraction
Financial Impact:
According to Chainalysis, North Korean hackers have significantly increased their cryptocurrency theft:
– 2024: $1.34 billion stolen across 47 hacks
– 2023: $660.50 million stolen
– Notable 2024 incident: DMM Bitcoin exchange breach ($305 million)
The attack demonstrates Lazarus Group’s continued evolution in cyber capabilities and their focus on high-value targets in nuclear, defense, and cryptocurrency sectors.