Jakarta, INTI - In January 2024, the cyber world was shaken by an attack from the notorious North Korean hacker group, Lazarus Group. Known for its sophisticated and organized operations, Lazarus Group has previously targeted sensitive sectors such as defense, technology, and energy. This time, their latest attack involved using a new malware, CookiePlus, to target two employees from an organization related to nuclear energy. This incident is part of an ongoing cyber espionage campaign, referred to as Operation Dream Job.
The Long-Running Cyber Espionage Campaign
Operation Dream Job, also known as NukeSped by cybersecurity firm Kaspersky, has been active since 2020 and was previously uncovered by ClearSky. This campaign has involved numerous attacks aimed at professionals in various fields, including defense, aerospace, and cryptocurrency. Lazarus Group’s typical modus operandi involves sending enticing job offers, which ultimately lead to the installation of malware on the target’s device.
The latest attack highlights just how advanced Lazarus Group’s tactics have become. They have implemented more intricate, multi-layered methods to deceive victims, including sneaking malware through seemingly legitimate applications. One such application used in this attack was TightVNC, a remote desktop software, which was modified into a malicious version named AmazonVNC.exe.
A Complex Infection Chain Unveiled
The spread of the CookiePlus malware began with the delivery of an archive file containing the modified VNC application designed to trick the target into downloading and running it. This malware, distributed in ISO and ZIP formats, successfully bypassed the device’s defenses. Once executed, the VNC infected file triggered the download of additional malicious files, such as MISTPEN, which was discovered by cybersecurity company Mandiant in September 2024.
Subsequently, these infected files would download two additional payloads, RollMid and LPEClient, which are designed to monitor and modify the infected system, giving hackers greater control over the device.
The Evolution of Malware: From CookieTime to CookiePlus
Interestingly, this latest attack also involved the use of the older malware known as CookieTime, which was first discovered in 2020. CookieTime operates by extracting information from the victim’s system and sending it back to a command server controlled by Lazarus Group using encoded cookie values. In this attack, CookieTime was used to further spread the infection and set the stage for the next layer of compromise.
However, the more shocking development is the appearance of CookiePlus, the latest malware used in this cyber attack. Unlike its predecessors, CookiePlus serves as a downloader, retrieving malicious payloads from the hacker-controlled Command-and-Control (C2) server. These payloads are then decrypted and executed, allowing the hackers to access more data and extend their control over the infected system.
Key Features of CookiePlus Malware
CookiePlus stands out from previous malware used by Lazarus Group because of its two-pronged attack approach. It can be deployed as a DLL (Dynamic Link Library) file containing C2 information within its resource section, or it can fetch external C2 information from a separate file. This flexibility makes CookiePlus adaptable to various infection scenarios, allowing it to avoid detection by security software.
Furthermore, CookiePlus was named after a plugin for Notepad++, called ComparePlus. The version used in this attack modified the DirectX-Wrappers code, which had never before been associated with cyber attacks, turning it into a tool for executing malicious activities.
With its ability to gather system information and schedule sleep times for its main module, CookiePlus makes it increasingly difficult to detect over time. This highlights Lazarus Group’s continuous evolution and their ability to deploy modular malware for maximum effectiveness, all while evading detection.
Lazarus Group's Growing Involvement in Cryptocurrency Crimes
Meanwhile, blockchain intelligence firm Chainalysis reported that Lazarus Group has become increasingly active in targeting cryptocurrency platforms. In 2024 alone, they have stolen more than $1.34 billion from 47 cryptocurrency hacks, nearly double the amount stolen in 2023, which was $660.5 million. One of the major breaches occurred in May 2024, when the Japanese cryptocurrency exchange DMM Bitcoin suffered a $305 million loss.
These large-scale attacks reflect how Lazarus Group is adapting and stepping up its efforts to exploit vulnerabilities in the digital currency sector. The group is expanding its targets, not just focusing on specific industries but increasingly tapping into the lucrative world of cryptocurrency.
Facing the Threat of Lazarus Group
Lazarus Group remains a significant threat to the global technology and industrial sectors. Their ability to design sophisticated, well-organized cyber attacks continues to evolve, and they are now incorporating new techniques to penetrate security systems.
As a result, organizations worldwide need to remain vigilant against these cyber threats. Using legitimate software, training employees on cybersecurity best practices, and ensuring regular system updates are critical steps in protecting data and systems from attacks like those launched by Lazarus Group.
This incident serves as a reminder of how rapidly cyber threats are evolving and how essential it is for individuals and organizations to stay updated on the latest cybersecurity trends to protect their valuable information and assets from destructive attacks.