| Category | Details |
|---|---|
| Threat Actors | Lazarus Group (North Korean state-sponsored) |
| Campaign Overview | DeathNote campaign (also called “Operation DreamJob”), targeting employees across sectors (defense, aerospace, cryptocurrency, etc.) using fake job offers to deliver malware. |
| Target Regions (Victims) | Global (defense, aerospace, cryptocurrency industries, nuclear-related organizations) |
| Methodology | Malicious archive files (ISO, ZIP) delivered via fake job opportunities. Infection chain includes downloader, loader, backdoor. Use of trojanized VNC, remote access tools (VNC, PuTTY). |
| Product Targeted | IT job candidates, defense, aerospace, cryptocurrency employees |
| Malware Reference | MISTPEN, CookiePlus, RollMid, LPEClient, Charamel Loader, ServiceChanger, CookieTime, Ranid Downloader, AmazonVNC, vnclang.dll, TBaseInfo.dll, hiber.dll, sleep.dll |
| Tools Used | VNC, UltraVNC Viewer, TightVNC, Chromium-based browser, PHP-based web services, WordPress, ChaCha20 encryption, RSA encryption, DLL side-loading, Notepad++ plugin-based malware |
| Vulnerabilities Exploited | Side-loading of legitimate applications (e.g., UltraVNC, ServiceChanger), evasion through encryption and obfuscation |
| TTPs | Phishing (fake job offers), malware delivery via archive files, trojanized remote access tools, DLL side-loading, custom encryption (ChaCha20, RSA), key generation for decryption. |
| Attribution | Lazarus Group (North Korean state-sponsored threat actor) |
| Recommendations | Enhanced detection of archive-based malware, awareness of job recruitment phishing, scrutiny of software used by job applicants, improved encryption/key management and C2 monitoring. |
| Source | Securelist by Kaspersky |
Read full article: https://securelist.com/lazarus-new-malware/115059/
The above summary has been generated by an AI language model
Leave a Reply