Today > 1 Critical | 6 High | 24 Medium vulnerabilities   -   You can now download lists of IOCs here!

North Korean group targets nuclear-related organization with new malware

Dec. 19, 2024, 1:39 p.m.

Tags
supply chain
modular malware
2024-12-19
lpeclient
wordpress c2
cookietime
deathnote campaign
rollmid
servicechanger
ranid downloader
charamel loader
nuclear
trojanized vnc
mistpen
cookieplus
External References
Description

The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MISTPEN, RollMid, LPEClient, CookieTime, and a new modular backdoor called CookiePlus. The infection chain has become more complex, demonstrating improved delivery and persistence methods. CookiePlus, likely the successor to MISTPEN, can download both DLLs and shellcode, making it difficult to detect. The group used compromised WordPress servers as command and control infrastructure for most of the malware.

Date

Published: Dec. 19, 2024, 12:57 p.m.

Created: Dec. 19, 2024, 12:57 p.m.

Modified: Dec. 19, 2024, 1:39 p.m.

Indicators

6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d

Download all indicators here!

Attack Patterns

ServiceChanger

Charamel Loader

CookiePlus

CookieTime

RollMid

Ranid Downloader

MISTPEN

LPEClient

Lazarus

T1573

T1574

T1071

T1543

T1102

T1036

T1204

T1140

T1132

T1027

T1053

T1001

T1566

T1190

T1133

T1059

CVE-2019-0859

CVE-2019-0797

Additional Informations

Energy