A sophisticated cyber espionage campaign targeting employees at an undisclosed nuclear organization has been attributed to North Korea's notorious Lazarus Group, according to new findings from cybersecurity researchers at Kaspersky.
The attacks, detected in January 2024, focused on at least two employees within the same nuclear-related organization as part of the group's ongoing "Operation Dream Job" campaign.
The hackers deployed an intricate infection chain using multiple types of malware, including a new modular tool called CookiePlus. The attack began with malicious ISO files containing trojanized VNC software, which helped deliver various malware strains while evading detection.
Among the malware deployed were Ranid Downloader, MISTPEN, RollMid, and a sophisticated tool called CookieTime that was used to download additional malicious payloads. The attackers also utilized a program called ServiceChanger to manipulate legitimate services and load malicious code through DLL side-loading techniques.
The research team noted that CookiePlus appears to be an evolution of earlier tools, showing increased sophistication in its execution options compared to previous versions. While disguising itself as a Notepad++ plugin, it maintains minimal communication with command servers to avoid detection.
The attack infrastructure relied heavily on compromised WordPress websites across multiple countries, which served as command and control servers for most of the malware variants deployed in the campaign.
This latest attack represents an expansion of Lazarus Group's capabilities, as the threat actor typically uses a limited set of malware frameworks. The introduction of new modular malware like CookiePlus indicates ongoing efforts to enhance their attack methods and evade security measures.
The researchers warn that the modular nature of CookiePlus makes it challenging for security teams to determine the full scope of compromises, as the malware can download additional components without detection. With the tool still under active development, experts anticipate the emergence of new plugins and capabilities in future attacks.