A new wave of the key operation by the Lazarus cyber group has been detected — Operation DreamJob. The malware is being distributed under the guise of skill assessment tests for IT job candidates, as reported by the business information center Kapital.kz, citing Kaspersky GReAT.
The attackers are infecting company infrastructures through file archives that masquerade as skill assessment tests for IT positions. Among the new targets of the cyber group are enterprises in the nuclear industry, as noted by the company.
“The Operation DreamJob campaign was first identified by Kaspersky GReAT experts in 2019. At that time, it was aimed at companies worldwide associated with cryptocurrency. In 2024, the targets expanded to include IT companies and defense sector enterprises in Europe, Latin America, South Korea, and Africa. The latest recorded wave of attacks targeted employees in the nuclear sector in Brazil. They received file archives disguised as skill assessment tests for IT job candidates. It appears that the attackers utilized a popular job search platform to disseminate initial instructions and gain access to the target systems,” reports Kaspersky GReAT.
Lazarus is enhancing its malware delivery methods by employing a complex infection chain that includes various types of malware, such as loaders and backdoors.
As specialists explain, the new multi-stage attack involved a VNC Trojan, a remote desktop viewer for Windows, and a legitimate VNC tool to deliver the malware. In the first stage, the Trojan AmazonVNC.exe decrypted and executed a loader called Ranid Downloader to extract internal resources of the VNC executable file. The second archive contained the malicious file vnclang.dll, which loaded the MISTPEN malware, which then downloaded other malicious programs, including RollMid and a new variant of LPEClient.
The new malware — the attackers utilized a previously unknown backdoor that Kaspersky GReAT experts have named CookiePlus. It was distributed under the guise of a legitimate plugin for the open-source text editor Notepad++. CookiePlus gathers system data, including the computer name, process ID, file paths, and forces the main module to sleep for a while. It also schedules the execution of necessary actions for the attackers by modifying the configuration file, experts note.
“This cyber-espionage campaign is quite dangerous. The ability of the malware to delay its actions allows it to evade detection at the moment of system infiltration and stay within it longer. Furthermore, the malware can manipulate system processes, making it harder to detect and potentially leading to further damage or malicious exploitation of the system,” comments Kaspersky GReAT's lead expert Vasily Berdnikov.