Lazarus group delivers archive files containing malicious files using new and old malware samples to two employees associated with same nuclear-related organization.
The group used multiple types of malware, such as a downloader, loader, and backdoor.
The DeathNote campaign is a series of cyber attacks by the Lazarus group that has been distributing its malicious software components by exploiting fake job opportunities to target employees in various sectors.
Lazarus group tends to pose as recruiters and contact targets on platforms like LinkedIn, Telegram, WhatsApp, etc.
They have been distributing trojanized remote access tools to convince the targets to connect to a specific server for skills assessment.
Their recently discovered attack adapted the same method of distributing trojanized remote access tools, but the infection chain has completely changed.
The group delivered malicious compressed ISO files to its victims to go undetected, since ZIP archives are easily detected by many services.
The malware-to-malware flowchart created by the group defines the cookies and payloads that were sent and received by its malware components.
CookiePlus is a new modular malware introduced by the Lazarus group that disguises itself as open-source plugins.
The group has been using compromised web servers running WordPress as C2s for most of their campaigns.