| The North Korean (DPRK)-linked Lazarus Group recently shifted its focus to the nuclear industry, indicating a concerning shift from its previous tactics of primarily targeting defense, aerospace, and cryptocurrency, among others. The Lazarus Group has historically distributed malware through fake job opportunities in a campaign known as “DeathNote” or “Operation DreamJob.” The group created fake job postings that targeted potential employees with appealing career opportunities. They sent malicious files disguised as job assessments, which allowed them to gain access to victims’ systems. During the interview process, candidates were provided with fraudulent job assessments that contained ZIP archives filled with malicious executables or trojanized tools. The ZIP file also contained the malicious file vnclang.dll, a loader identified as MISTPEN malware based on its communication with the command and control (C2) server. Additional payloads included RollMid, CookieTime, and a new LPEClient variant. If executed, these trojans could grant threat actors unauthorized access to the compromised devices, enabling data theft or disruption of operations. |
| The group’s methods continue to evolve, employing advanced tools like the Ranid downloader, a new backdoor known as “RustyAttr,” and a new plugin-based malware known as “CookiePlus” that operates in memory for obfuscation. Analysts found that CookiePlus was initially disguised as ComparePlus, an open-source Notepad++ plugin, but has shifted to impersonating other open-source projects like DirectX-Wrappers. |
 |
| Image Source: SecureList |
| In October, the Lazarus group refined its tactics by exploiting vulnerabilities, including a Google Chrome zero-day, to target cryptocurrency investors through a deceptive NFT game. In November, analysts detected a new malware variant known as OtterCookie, in addition to previously identified threats such as BeaverTail and InvisibleFerret. The OtterCookie downloader has been noted for its ability to download JSON data remotely and execute cookie properties as JavaScript. It often downloads and executes JavaScript following a 500 HTTP status code that triggers a catch block. |
| Threat actors likely began using OtterCookie in September; however, the November version incorporates Socket.IO for executing shell commands and gathering cryptocurrency wallet keys from various file types, transmitting this data remotely. It also utilizes the clipboardy library to extract clipboard information, a feature not present in September’s version. |
| South Korean officials recently sanctioned 15 DPRK nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for violations of established economic sanctions. The individuals are allegedly tied to DPRK’s 313th General Bureau, part of the DPRK’s Ministry of Munitions Industry, which oversees Pyongyang’s weapons production, research and development, and ballistic missile programs. The individuals and others are known to be dispatched to China, Russia, Southeast Asia, Africa, and other countries as employees of regime-affiliated organizations such as the Ministry of Defense, disguising their identities and receiving work from IT companies around the world, some facilitating cyberattacks and stealing cryptocurrency. |
| A 2024 report (PDF) by a United Nations panel stated that it is investigating at least 58 cyberattacks by DPRK operatives against cryptocurrency companies between 2017 and 2023, with the incidents yielding an estimated $3 billion in stolen gains. The panel also investigated reports of numerous DPRK nationals working overseas in the restaurant and construction industries, in addition to the IT industry. |
| South Korea emphasized that these actions jeopardize the overall cybersecurity landscape and pose a significant threat to global peace and security. Specifically, these activities are being utilized to fund North Korea’s nuclear and missile development programs. |
| Recommendations |
| Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats as detailed on the NJCCIC Guidance and Best Practices webpage. Avoid clicking links, responding to, or acting on unsolicited text messages or emails. Use strong, unique passwords and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments. If seeking employment, confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Report cyber incidents to the FBI’s IC3 and the NJCCIC. |