North Korean group targets nuclear-related organization with new malware

Dec. 19, 2024, 1:39 p.m.

Description

The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MISTPEN, RollMid, LPEClient, CookieTime, and a new modular backdoor called CookiePlus. The infection chain has become more complex, demonstrating improved delivery and persistence methods. CookiePlus, likely the successor to MISTPEN, can download both DLLs and shellcode, making it difficult to detect. The group used compromised WordPress servers as command and control infrastructure for most of the malware.

External References

https://securelist.com/lazarus-new-malware/115059/
https://otx.alienvault.com/pulse/676418424f634ad08e086e01
Tags
supply chain
modular malware
2024-12-19
lpeclient
wordpress c2
cookietime
deathnote campaign
rollmid
servicechanger
ranid downloader
charamel loader
nuclear
trojanized vnc
mistpen
cookieplus

Date

  • Created: Dec. 19, 2024, 12:57 p.m.
  • Published: Dec. 19, 2024, 12:57 p.m.
  • Modified: Dec. 19, 2024, 1:39 p.m.

Indicators

  • 6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d
Download all indicators here!

Attack Patterns

  • ServiceChanger
  • Charamel Loader
  • CookiePlus
  • CookieTime
  • RollMid
  • Ranid Downloader
  • MISTPEN
  • LPEClient
  • Lazarus

Additional Informations

  • Energy

Linked vulnerabilities

CVE-2019-0797

None
Published:

CVE-2019-0859

None
Published: