TIP: Click on subject to list as thread! ANSI
echo: politics
to: All
from: Mike Powell
date: 2024-12-23 08:59:00
subject: North Korean Lazarus hack
North Korean Lazarus hackers are targeting nuclear workers

Date:
Mon, 23 Dec 2024 11:43:44 +0000

Description:
Nuclear workers were also targeted with brand new malware.

FULL STORY

The infamous Lazarus Group, a threat actor linked to the North Korean
government, was recently observed targeting IT professionals within the same
nuclear-related organization with new malware strains. 

These attacks seem to be a continuation of a campaign first kicked off in
2020, called Operation DreamJob (AKA Deathnote), were the attackers would
create fake jobs and offer these dreamy positions to people working in
defense, aerospace, cryptocurrency, and other global sectors, around the
world. 

They would reach out via social media such as LinkedIn or X, and run multiple
rounds of interviews. At any point during these interviews, the victims would
be either dropped a piece of malware, or trojanized remote access tools.

CookieTime and CookiePlus 

The end goal of this campaign is to either steal sensitive information, or
cryptocurrency. Lazarus has, among other things, managed to steal roughly 
$600 million from a crypto company back in 2022. 

As Kaspersky explained in its latest writeup, in this case, Lazarus targeted
two individuals with malicious remote access tools. They then used the tools
to drop a piece of malware called CookieTime, which acted as a backdoor,
allowing the attackers to run different commands on the compromised endpoint. 

This gave them the ability to move laterally across the network and download
several additional malware strains, such as LPEClient, Charamel Loader,
ServiceChanger, and an updated version of CookiePlus. 

Kaspersky says CookiePlus is particularly interesting, since it is a new
plugin-based malicious program, discovered during the most recent
investigation. It was loaded by both ServiceChanger and Charamel Loader, with
variants being executed differently, depending on the loader. Since 
CookiePlus acts as a downloader, its functionality is limited, and it
transmits minimal information. 

The attacks took place in January 2024, meaning Lazarus remains a major 
threat coming out of North Korea. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-lazarus-hackers-are-target
ing-nuclear-workers

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SOURCE: echomail via QWK@pharcyde.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.