1. Forum
  2. Fidonet
  3. POLITICS

  • North Korean Lazarus hack

    From Mike Powell@1:2320/105 to All on Mon Dec 23 08:59:00 2024
    North Korean Lazarus hackers are targeting nuclear workers

    Date:
    Mon, 23 Dec 2024 11:43:44 +0000

    Description:
    Nuclear workers were also targeted with brand new malware.

    FULL STORY

    The infamous Lazarus Group, a threat actor linked to the North Korean government, was recently observed targeting IT professionals within the same nuclear-related organization with new malware strains.

    These attacks seem to be a continuation of a campaign first kicked off in
    2020, called Operation DreamJob (AKA Deathnote), were the attackers would create fake jobs and offer these dreamy positions to people working in
    defense, aerospace, cryptocurrency, and other global sectors, around the
    world.

    They would reach out via social media such as LinkedIn or X, and run multiple rounds of interviews. At any point during these interviews, the victims would be either dropped a piece of malware, or trojanized remote access tools.

    CookieTime and CookiePlus

    The end goal of this campaign is to either steal sensitive information, or cryptocurrency. Lazarus has, among other things, managed to steal roughly
    $600 million from a crypto company back in 2022.

    As Kaspersky explained in its latest writeup, in this case, Lazarus targeted two individuals with malicious remote access tools. They then used the tools
    to drop a piece of malware called CookieTime, which acted as a backdoor, allowing the attackers to run different commands on the compromised endpoint.

    This gave them the ability to move laterally across the network and download several additional malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.

    Kaspersky says CookiePlus is particularly interesting, since it is a new plugin-based malicious program, discovered during the most recent investigation. It was loaded by both ServiceChanger and Charamel Loader, with variants being executed differently, depending on the loader. Since
    CookiePlus acts as a downloader, its functionality is limited, and it
    transmits minimal information.

    The attacks took place in January 2024, meaning Lazarus remains a major
    threat coming out of North Korea.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/north-korean-lazarus-hackers-are-target ing-nuclear-workers

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)