Threat actors associated with the notorious North Korean hacking outfit Lazarus Group are now setting their sites on targets in the nuclear power sector, according to researchers with Kaspersky.
The cybersecurity vendor reports that the hacking group has been seeking to compromise nuclear organizations as part of an effort to step up its game and infect high-value targets.
The researchers say that the infections are part of a complex and sophisticated effort by the North Korean hackers to infiltrate companies that operate in highly secure sectors such as defense, aerospace and cryptocurrency. It seems the threat actors are now adding nuclear industry organizations to their list of targets.
“Recently, we observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month,” Kaspersky wrote.
“After looking into the attack, we were able to uncover a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group’s evolved delivery and improved persistence methods.”
In this case, the researchers say that the attacks are an extension of a previous campaign known as “Operation DreamJob.”
Targets are fed what appear to be IT assessment tests, but are in fact weaponized archive files. This, in turn, sets off a complex chain of archive downloads and redirects that ultimately result in the victim being linked to a remote access trojan.
From there, the threat actors can remotely access the compromised systems and perform further network intrusions.
What stuck out to the researchers, however, was the addition of a new tool that adds a wrinkle making the malware more difficult to spot. A downloader knows as “CookiePlus” is able to operate in memory and load in malicious payloads as plugins that can be more difficult for network security tools to spot.
“Introducing this type of malware is an unusual strategy for them,” said Kaspersky.
“The fact that they do introduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products.”
