{
  "name": "North Korean group targets nuclear-related organization with new malware",
  "slug": "north-korean-group-targets-nuclear-related-organization-with-new-malware",
  "description": "The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MISTPEN, RollMid, LPEClient, CookieTime, and a new modular backdoor called CookiePlus. The infection chain has become more complex, demonstrating improved delivery and persistence methods. CookiePlus, likely the successor to MISTPEN, can download both DLLs and shellcode, making it difficult to detect. The group used compromised WordPress servers as command and control infrastructure for most of the malware.",
  "published": "2024-12-19T11:57:38+00:00",
  "created_at": "2024-12-19T11:57:38+00:00",
  "modified_at": "2024-12-19T12:39:21+00:00",
  "created_at_opencti": "2024-12-19T11:57:38+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-19",
    "charamel loader",
    "cookieplus",
    "cookietime",
    "deathnote campaign",
    "lpeclient",
    "mistpen",
    "modular malware",
    "nuclear",
    "ranid downloader",
    "rollmid",
    "servicechanger",
    "supply-chain",
    "trojanized vnc",
    "wordpress c2"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d"
      }
    ],
    "malware": [
      {
        "id": "e4ead458-1e93-4c8d-9836-54859205b2f6",
        "name": "ServiceChanger",
        "slug": "servicechanger"
      },
      {
        "id": "6b15052b-6f48-4e91-b2b7-ab6bf8287386",
        "name": "Charamel Loader",
        "slug": "charamel-loader"
      },
      {
        "id": "797e37b7-2740-4487-8049-9ec76d918086",
        "name": "CookiePlus",
        "slug": "cookieplus"
      },
      {
        "id": "79c3b114-6c72-4897-b5d4-e22988645a9e",
        "name": "CookieTime",
        "slug": "cookietime"
      },
      {
        "id": "eb5a28a1-4251-4311-88d7-8ec86f5f0c42",
        "name": "RollMid",
        "slug": "rollmid"
      },
      {
        "id": "6d13cf2c-227d-45ff-842e-88cfbd88768a",
        "name": "Ranid Downloader",
        "slug": "ranid-downloader"
      },
      {
        "id": "bea97d6e-34e1-4f58-8355-78574dc8d67d",
        "name": "MISTPEN",
        "slug": "mistpen"
      },
      {
        "id": "281c9e68-c647-4a35-9832-a8302ea5cde6",
        "name": "LPEClient",
        "slug": "lpeclient"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d84018a2-9bb1-45dd-94a2-38a8deb013c0",
        "name": "Lazarus",
        "slug": "lazarus"
      }
    ],
    "attack_patterns": [
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "b6e505a1-fadb-491a-b4f1-151443fdc8c3",
        "name": "T1001"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2019-0859"
      },
      {
        "id": "",
        "name": "CVE-2019-0797"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Energy"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/lazarus-new-malware/115059/",
    "https://otx.alienvault.com/pulse/676418424f634ad08e086e01"
  ]
}