North Korean hackers spotted using new tools on employees of 'nuclear-related' org
North Korean state-backed hackers targeted several employees of a “nuclear-related” organization earlier this year using an array of malware, including newly identified tools.
According to the cybersecurity firm Kaspersky, the tactics mark an evolution of the North Korean Lazarus Group’s campaign to compromise the devices of workers in sensitive industries through fake job opportunities.
The attempted intrusions observed by the researchers involved some familiar tactics but included alarming twists. Kaspersky didn’t specify the name or location of the affected organization. Lazarus Group typically launches attacks for financial gain.
The researchers uncovered “a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group’s evolved delivery and improved persistence methods.”
The initial infections occurred in ways familiar to observers of Lazarus, through a trojanized virtual network computing (VNC) utility sent to the victims under the guise of a skills assessment test.
One piece of malware found on the infected devices was CookieTime, which was used to download several other malware strains, including a “new plug-in modular malware” the researchers called CookiePlus.
“The problem for defenders is that CookiePlus can behave just like a downloader,” the researchers said. “This makes it difficult to investigate whether CookiePlus downloaded just a small plugin or the next meaningful payload. From our analysis, it appears to be still under active development, meaning Lazarus may add more plugins in the future.”
Separately on Monday, the South Korean cybersecurity company ASEC warned that another North Korean government-backed hacking group tracked as Andariel is using SmallTiger malware to exploit “domestic asset management” software and a “a document centralization solution.” Andariel has carried out espionage and ransomware attacks.
North Korean hackers spotted using new tools on employees of ‘nuclear-related’ org The blockchain analytics firm Chainalysis said last week that hackers connected to the North Korean government have stolen at least $1.34 billion worth of cryptocurrency so far in 2024 across 47 incidents.
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.