Lazarus Group, North Korean hackers, have strengthened their KaolinRAT malware to target victims with fake job offers posted on LinkedIn and WhatsApp, among others.
You may know Lazarus, the open source IDE, not to be confused with Lazarus Group, whose motivations are completely different. It is in fact a gang of hackers originating from North Korea and destined for potential victims around the world.
Already well known to the authorities for its crypto cyberheist amounting to nearly $550 million in 2022, Lazarus Group had made the theft of cryptocurrencies its signature.
Today, this famous gang returns and recycles one of its old malware, KaolinRAT by boosting it to bypass more security systems. His target? Only a small number of individuals, but as Avast security researcher Luigino Camastra points out, these are people whose technical professional background could interest Lazarus. This is why hackers are luring them with a recruitment campaign that has also been proven in the past. False and corrupt, of course.
The recycling of false job offers posted on LinkedIn and WhatsApp to lure victims
Lazarus Group seems adept at recycling. We imagine that protecting the environment is not his main concern, but rather that he wants to attack with a weapon already tested and approved in the past. Thus, its lure, which has already proven its worth under the name “Operation Dream Job” in 2022, consists of attracting victims through job offers distributed in particular on LinkedIn, WhatsApp and by e-mail.
After several message exchanges to establish a relationship of trust with the victim, the hacker sends them an ISO file to execute, supposedly containing an Amazon evaluation, “Amazon VMC.exe”. He explains to her that this is part of the recruitment process for the e-commerce giant.
All it takes is a double-click from the victim to launch the formidable KaolinRAT attack chain, which Lazarus has taken care to upgrade to bypass as many security barriers as possible.
An ultra-sophisticated technique that “ borders on exaggeration » to inject the malware
It is then a high-flying process that Lazarus Group will carry out which, by Luigino Camastra’s own admission, “borders on exaggeration”. Indeed, two files, “version.dll” and “aws.cfg”, are used to start an infection process on a computer. Remember “AmazonVNC.exe” executed by the victim. It uses “version.dll” to start another process, “iexpress.exe”, which receives some kind of malicious code from “aws.cfg”.
This malicious code is designed to download more malicious code from an attacker-controlled website (“henraux[.]com”). This one is suspected to be a legitimate website that was hacked.
The downloaded code is used to launch another malware called RollFling, which aims to grab and launch another malware called RollSling. The latter was revealed by Microsoft last year and is linked to a malicious campaign exploiting a security flaw in software called JetBrains TeamCity.
RollSling is run directly in computer memory, presumably to avoid detection by security software. It triggers the execution of a third malicious program called RollMid, which also runs in the computer’s memory.
RollMid has several functions, including preparing the computer for an attack and establishing a connection with a server controlled by the attackers. It follows a three-step process for this.
First, it communicates with the first server to retrieve an HTML file containing the address of the second server. Then he
communicates with the second server to retrieve a PNG image containing another malicious component, hidden using a technique called steganography. Then it sends the data to the third server using the address specified in the data hidden in the image.
Finally, it retrieves another set of Base64 encoded data from the third server, which is another malware called KaolinRAT. The latter prepares the ground for the deployment of another malware called FudModule.
One wonders why so much ingenuity and steps are taken to distribute malware. Perhaps Lazarus Group is seeking to recruit big names in cyberpiracy into its stables, through this attack, which the victims would be able to thwart and turn to their own advantage, who knows?
Source : Decoded Avast
0