North Korean group targets nuclear-related organization with new malware
Essential information
- Published
- 19/12/2024 12:57
- Modified
- 19/12/2024 13:39
- Tags
- 2024-12-19 charamel loader cookieplus cookietime deathnote campaign lpeclient mistpen modular malware nuclear ranid downloader rollmid servicechanger supply-chain trojanized vnc wordpress c2
- Related entities
- 2 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 16 techniques (mitre), 8 malware, 1 others
Description
The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MISTPEN, RollMid, LPEClient, CookieTime, and a new modular backdoor called CookiePlus. The infection chain has become more complex, demonstrating improved delivery and persistence methods. CookiePlus, likely the successor to MISTPEN, can download both DLLs and shellcode, making it difficult to detect. The group used compromised WordPress servers as command and control infrastructure for most of the malware.