Lazarus’ key operation – “Operation DreamJob” – continues to evolve with new sophisticated tactics that have persisted for more than five years, according to Kaspersky’s Global Research and Analysis Team. The latest targets include employees from a nuclear-related organization, who were infected via three compromised archive files appearing to be skill assessment tests for IT professionals. This ongoing campaign leverages a range of advanced malware, including a newly discovered modular backdoor, CookiePlus, that was disguised as open-source plugin.
Kaspersky’s GReAT discovered a new campaign linked to the infamous Operation DreamJob, also known as DeathNote, a cluster associated with the notorious Lazarus group. Over the years, this campaign has evolved significantly, initially emerging in 2019, with attacks targeting worldwide cryptocurrency-related businesses. During 2024, it has expanded to target IT and defense companies across Europe, Latin America, South Korea, and Africa. Kaspersky’s latest report provides new insights into a recent phase of their activity, revealing campaign targeting employees working at the same nuclear-related organization in Brazil as well employees of an unidentified sector in Vietnam.
Over the span of one month, at least two employees from the same organization were targeted by Lazarus, receiving multiple archive files disguised as skill assessments for IT positions at prominent aerospace and defense companies. Lazarus initially delivered the first archive to Hosts A and B within the same organization, and after a month, attempted more aggressive attacks on the first target. They likely used job search platforms like LinkedIn to deliver the initial instructions and gain access to the targets.
Lazarus has evolved its delivery methods and improved persistence through a complex infection chain involving various types of malware, such as a downloader, loader, and backdoor. They launched a multi-stage attack using trojanized VNC software, a remote desktop viewer for Windows, and another legitimate VNC tool to deliver malware. The first stage involved a trojanized AmazonVNC.exe, which decrypted and executed a downloader called Ranid Downloader to extract internal resources of the VNC executable. A second archive contained a malicious vnclang.dll that loaded MISTPEN malware, which then fetched additional payloads, including RollMid and a new variant of LPEClient.
