Attacks leveraging fraudulent job lures to distribute the new Kaolin RAT malware have been launched by North Korean hacking collective Lazarus Group against individuals across Asia last summer, reports The Hacker News.
Social engineering techniques have been used by Lazarus Group to lure targets into executing a malicious optical disc image file with an executable spoofing an Amazon VNC client, which when run triggers a process that eventually results in malicious payload injection, according to a report from Avast. Such a payload then enables the download of a shellcode, which executes the RollFling loader with the next-stage RollSling malware and RollMid loader.
Researchers also noted the use of RollMid to deploy Kaolin RAT, which not only launches the FudModule rootkit but also proceeds with file enumeration and uploading activities, as well as process creation and termination, DLL file downloading, command execution, and arbitrary host connections.
"…Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts," said researchers.