Elaborate Cyber Attack by Lazarus Group Uses Job Lures to Deploy Kaolin RAT in Asia
Charles M. Walls | April 26, 2024 | Views: 211
In the summer of 2023, a North Korea-associated cyber group known as Lazarus Group launched a sophisticated cyber attack targeting individuals in Asia. The attack involved the distribution of a new type of malware, the Kaolin RAT, hidden within deceptive job offer lures—a tactic the group has perfected over time.
Avast security expert Luigino Camastra detailed the capabilities of the Kaolin RAT in a recent report. This malware not only provides standard remote access trojan functions but also has unique abilities such as modifying the last write timestamp of files and loading DLL binaries from its command-and-control (C2) server. The RAT is a preliminary step in deploying the FudModule rootkit. This rootkit exploits a vulnerability in the appid.sys driver (identified as CVE-2024-21338 with a CVSS score of 7.8) to gain extensive control over the system and disable its security defenses.
Historically, the Lazarus Group's 'Operation Dream Job' campaign has leveraged social media and instant messaging to spread malware via enticing job offers. The current scheme begins with victims opening a malicious ISO file containing three deceptive files. Among these, a file named "AmazonVNC.exe" appears to be a VNC client for Amazon but is actually a disguised executable of a common Windows program, "choice.exe."
The other two files, "version.dll" and "aws.cfg," initiate the malware's infection chain. The former sideloads within the AmazonVNC executable to trigger an IExpress.exe process, which then injects a malicious payload from "aws.cfg." This payload connects to a C2 domain believed to be compromised, which in turn downloads further malicious components.
The subsequent stages involve sophisticated methods like steganography to conceal communications with additional C2 servers and the introduction of more loaders like RollFling and RollSling. These loaders are integral to retrieving and executing the next-stage malware directly in memory, likely in an effort to avoid detection by antivirus programs.
The multi-tiered attack strategy culminates in the Kaolin RAT, which enables a wide range of malicious activities such as file manipulation, data exfiltration, and execution of commands. Avast has critiqued the complexity of this attack framework as potentially excessive, yet it underscores the high level of technical proficiency possessed by the Lazarus Group.
Luigino Camastra emphasized the significant investment in resources by Lazarus to develop this elaborate attack chain. The continuous innovation and adaptation of the group present ongoing challenges for cybersecurity defenses, highlighting their persistent threat in the landscape of global cyber warfare.
