The "Dream Job" operation does not slow down, using a long chain to hide the infection.
Lazarus Group, a prominent hacker group traditionally associated with North Korea, used tempting job offers to deliver a new remote access trojan (RAT) called Kaolin RAT as part of attacks targeting specific individuals in Asia in the summer of 2023.
According to Luigino Camastra, a security researcher at Avast, this malicious software can, in addition to standard RAT functions, change the timestamp of the last record of the selected file and download any resulting DLL binary file from the attackers C2 server.
RAT serves as a delivery channel for the FudModule rootkit, which recently exploited the CVE-2024-21338 vulnerability in the driver appid.sys (CVSS score: 7.8) to obtain read/write primitives in the kernel and eventually disable security mechanisms.
Lazarus use of job offer traps to break into systems is not new. A long-running campaign called "Operation Dream Job" shows that the group uses various social networks and instant messaging platforms to deliver malware.
The infection chain begins when the targets launch a malicious optical disk image (ISO) containing three files, one of which is disguised as an Amazon VNC client ("AmazonVNC.exe"), which is actually a renamed version of a legitimate Windows app "choice.exe".
The other two files, "version.dll" and "aws. cfg", serve as a catalyst for starting an infection. Specifically, the executable file "AmazonVNC.exe" used for DLL Sideloading of a malicious library "version.dll", which in turn starts the process IExpress.exe and inserts the payload located in "aws.cfg"into it.
This payload is intended for downloading shellcode from the C2 domain ("henraux [.] com"), which is supposed to belong to an Italian company specializing in the extraction and processing of marble and granite. This domain was probably compromised by hackers.
The shellcode is used to run RollFling, a DLL-based loader that is used to obtain and run the next stage of malware called RollSling, which Microsoft disclosed last year.
RollSling, performed directly in memory in an attempt to avoid detection by antivirus software, is the next step in the infection procedure. Its main function is to initiate the execution of a third loader called RollMid, which is also executed in the system's memory.
RollMid has capabilities that prepare the ground for a further attack and establish communication with the C2 server, including a three-step process in which the malware is exposed:
Against the backdrop of these developments, Luigino Camastra noted that Lazarus targeted individuals through fake job offers and used a sophisticated set of tools and malicious actions to achieve better resilience, bypassing security measures in victims systems.
Lazarus Group, a prominent hacker group traditionally associated with North Korea, used tempting job offers to deliver a new remote access trojan (RAT) called Kaolin RAT as part of attacks targeting specific individuals in Asia in the summer of 2023.
According to Luigino Camastra, a security researcher at Avast, this malicious software can, in addition to standard RAT functions, change the timestamp of the last record of the selected file and download any resulting DLL binary file from the attackers C2 server.
RAT serves as a delivery channel for the FudModule rootkit, which recently exploited the CVE-2024-21338 vulnerability in the driver appid.sys (CVSS score: 7.8) to obtain read/write primitives in the kernel and eventually disable security mechanisms.
Lazarus use of job offer traps to break into systems is not new. A long-running campaign called "Operation Dream Job" shows that the group uses various social networks and instant messaging platforms to deliver malware.
The infection chain begins when the targets launch a malicious optical disk image (ISO) containing three files, one of which is disguised as an Amazon VNC client ("AmazonVNC.exe"), which is actually a renamed version of a legitimate Windows app "choice.exe".
The other two files, "version.dll" and "aws. cfg", serve as a catalyst for starting an infection. Specifically, the executable file "AmazonVNC.exe" used for DLL Sideloading of a malicious library "version.dll", which in turn starts the process IExpress.exe and inserts the payload located in "aws.cfg"into it.
This payload is intended for downloading shellcode from the C2 domain ("henraux [.] com"), which is supposed to belong to an Italian company specializing in the extraction and processing of marble and granite. This domain was probably compromised by hackers.
The shellcode is used to run RollFling, a DLL-based loader that is used to obtain and run the next stage of malware called RollSling, which Microsoft disclosed last year.
RollSling, performed directly in memory in an attempt to avoid detection by antivirus software, is the next step in the infection procedure. Its main function is to initiate the execution of a third loader called RollMid, which is also executed in the system's memory.
RollMid has capabilities that prepare the ground for a further attack and establish communication with the C2 server, including a three-step process in which the malware is exposed:
- communicates with the first C2 server to get an HTML file with the address of the second C2 server,
- communicates with the second C2 server to get a PNG image that has a malicious component embedded in it using the steganography technique,
- transmits data to a third server, C2, using the address specified in the hidden data inside the image,
- retrieves additional Base64-encoded data from the third C2 server, which is already Kaolin RAT.
Against the backdrop of these developments, Luigino Camastra noted that Lazarus targeted individuals through fake job offers and used a sophisticated set of tools and malicious actions to achieve better resilience, bypassing security measures in victims systems.
