- Kaspersky recently discovered new elements of the Lazarus DreamJob campaign
- The perpetrators targeted two people who worked at the same nuclear-related company
- In their attacks, they used newer malware to try to gain access
The notorious Lazarus group, a threat group with ties to the North Korean government, was recently discovered to be targeting IT professionals within the same nuclear-related organization with new attack methods malware strains.
The attacks appear to be a continuation of a campaign first launched in 2020 called “Operation Dream Jobs” (also known as “Death Note”), in which attackers will create fake jobs and target defense, aerospace, cryptocurrency and other global industries. Staffs offer these dream jobs all over the world.
They will contact each other through social media such as LinkedIn or X, and conduct multiple rounds of “interviews.” At any time during these interviews, the victim is either implanted with malware or trojanized remote access tool.
CookieTime and CookiePlus
The ultimate goal of the campaign is to steal sensitive information or cryptocurrency. Back in 2022, Lazarus managed to steal approximately $600 million from a cryptocurrency company.
As Kaspersky explains in its latest article, in this case, Lazarus targeted two individuals with a malicious remote access tool. They then used these tools to remove a piece of malware called CookieTime, which acted as a backdoor and allowed attackers to execute different commands on infected endpoints.
This allowed them to move laterally across the network and download several other types of malware, such as updated versions of LPEClient, Charamel Loader, ServiceChanger and CookiePlus.
Kaspersky says CookiePlus is particularly interesting because it is a new plug-in-based malware discovered in recent investigations. It is loaded by ServiceChanger and Charamel Loader, and depending on the loader, the variant is executed differently. Since CookiePlus acts as a downloader, its functionality is limited and minimal information is transferred.
These attacks occurred in January 2024, meaning Lazarus remains the main threat from North Korea.
through Hacker News