North Korean Lazarus hackers are targeting nuclear workers

Date:
Mon, 23 Dec 2024 11:43:44 +0000

Description:
Nuclear workers were also targeted with brand new malware.

FULL STORY

The infamous Lazarus Group, a threat actor linked to the North Korean government, was recently observed targeting IT professionals within the same nuclear-related organization with new malware strains.

These attacks seem to be a continuation of a campaign first kicked off in
2020, called Operation DreamJob (AKA Deathnote), were the attackers would create fake jobs and offer these dreamy positions to people working in
defense, aerospace, cryptocurrency, and other global sectors, around the
world.

They would reach out via social media such as LinkedIn or X, and run multiple rounds of interviews. At any point during these interviews, the victims would be either dropped a piece of malware, or trojanized remote access tools.

CookieTime and CookiePlus

The end goal of this campaign is to either steal sensitive information, or cryptocurrency. Lazarus has, among other things, managed to steal roughly
$600 million from a crypto company back in 2022.

As Kaspersky explained in its latest writeup, in this case, Lazarus targeted two individuals with malicious remote access tools. They then used the tools
to drop a piece of malware called CookieTime, which acted as a backdoor, allowing the attackers to run different commands on the compromised endpoint.

This gave them the ability to move laterally across the network and download several additional malware strains, such as LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.

Kaspersky says CookiePlus is particularly interesting, since it is a new plugin-based malicious program, discovered during the most recent investigation. It was loaded by both ServiceChanger and Charamel Loader, with variants being executed differently, depending on the loader. Since
CookiePlus acts as a downloader, its functionality is limited, and it
transmits minimal information.

The attacks took place in January 2024, meaning Lazarus remains a major
threat coming out of North Korea.

Via The Hacker News

======================================================================
Link to news story: https://www.techradar.com/pro/security/north-korean-lazarus-hackers-are-target ing-nuclear-workers

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software

Date:
Thu, 30 Jan 2025 19:00:00 +0000

Description:
Lazarus hopes devs would pick up the wrong version by mistake.

FULL STORY ======================================================================
- Lazarus was seen poisoning open source software with infostealers
- The campaign is dubbed Phantom Circuit, and targets mostly European
software devs
- Multiple repositories were found poisoned with malware

The notorious North Korean hackers Lazarus have been targeting software developers, particularly those in the Web3 industry, with infostealing
malware , grabbing their credentials, authentication tokens, and other
valuable data, experts have warned.

Cybersecurity researchers SecurityScorecard released a report detailing the campaign, which included a software supply-chain attack and open-source poisoning.

Lazarus Group, an infamous hacking collective on North Koreas payroll, was spotted grabbing different open source tools, poisoning them with malicious code, and then returning them to code repositories and platforms such as Gitlab.

Targeting Web3 devs

Developers would then pick up these tools by mistake, and would unknowingly
get infected with malware.

The researchers named the operation Phantom Circuit, and apparently ended up compromising more than 1,500 victims. Most of them are based in Europe, with notable additions from India and Brazil.

The modified repositories apparently included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager , and other cryptocurrency-related apps, authentication packages, and web3 technologies, citing Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard.

The researchers did not say if Lazarus used any known infostealer in this campaign, or created new code from scratch. The group is known for using a
wide variety of tools in their attacks.

Lazarus often targets cryptocurrency companies. Some researchers are saying
the country is engaging in crypto theft to fund its state apparatus, as well
as its weapons program. The group is famous for its fake job campaign, called Operation DreamJob , in which it targets Web3 software developers with fake, lucrative job offers.

During the interview stages, the attackers would trick the candidate into downloading and running infostealers, grabbing their tokens, and those of
their employers. In one such instance, Lazarus managed to steal roughly $600 million.

======================================================================
Link to news story: https://www.techradar.com/pro/security/north-korean-lazarus-hackers-launch-lar ge-scale-cyberattack-by-cloning-open-source-software

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)