The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT.
The malware could, “aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server,” Avast security researcher Luigino Camastra said in a report published last week.
The RAT acts as a pathway to deliver the FudModule rootkit, which has been recently observed leveraging a now-patched admin-to-kernel exploit in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain a kernel read/write primitive and ultimately disable security mechanisms.
The Lazarus Group’s use of job offer lures to infiltrate targets is not new. Dubbed Operation Dream Job, the long-running campaign has a track record of using various social media and instant messaging platforms to deliver malware.
These initial access vectors trick targets into launching a malicious optical disc image (ISO) file bearing three files, one of which masquerades as an Amazon VNC client (“AmazonVNC.exe”) that, in reality, is a renamed version of a legitimate Windows application called “choice.exe.”
The two other files are named “version.dll” and “aws.cfg.” The executable “AmazonVNC.exe” is used to side-load “version.dll,” which, in turn, spawns an IExpress.exe process and injects into it a payload residing within “aws.cfg.”
The payload is designed to download shellcode from a command-and-control (C2) domain (“henraux[.]com”), which is suspected to be an actual-but-hacked website belonging to an Italian company that specializes in excavating and processing marble and granite.
While the exact nature of the shellcode is unclear, it’s said to be used to launch RollFling, a DLL-based loader that serves to retrieve and launch the next-stage malware named RollSling, which was disclosed by Microsoft last year in connection with a Lazarus Group campaign exploiting a critical JetBrains TeamCity flaw (CVE-2023-42793, CVSS score: 9.8).
RollSling, executed directly in memory in a likely attempt to evade detection by the security software, represents the next phase of the infection procedure. Its primary function is to trigger the execution of a third loader dubbed RollMid that’s also run in the system’s memory.
RollMid comes fitted with capabilities to set the stage for the attack and establish contact with a C2 server, which involves a three-stage process of its own as follows –
- Communicate with the first C2 server to fetch a HTML containing the address of the second C2 server
- Communicate with the second C2 server to fetch a PNG image that embeds a malicious component using a technique called steganography
- Transmit data to the third C2 server using the address specified in the concealed data within the image
- Retrieve an additional Base64-encoded data blob from the third C2 server, which is the Kaolin RAT
The technical sophistication behind the multi-stage sequence, while no doubt complex and intricate, borders on overkill, Avast opined, with the Kaolin RAT paving the way for the deployment of the FudModule rootkit after setting up communications with the RAT’s C2 server.
On top of that, the malware is equipped to enumerate files; carry out file operations; upload files to the C2 server; alter a file’s last modified timestamp; enumerate, create, and terminate processes; execute commands using cmd.exe; download DLL files from the C2 server; and connect to an arbitrary host.
“The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products,” Camastra said.
“It is evident that they invested significant resources in developing such a complex attack chain. What is certain is that Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts.”