New Kaolin RAT by Lazarus Group Exploits AI Job Lures, Targeting Individuals in Asia with Malware
HTML-код
- Опубликовано: 13 июн 2024
- #LazarusGroup
#KaolinRAT
#CyberSecurity
#Hacking
#RemoteAccessTrojan
#NorthKorea
#APT
#OperationDreamJob
#Malware
#AIExploitation
#JobLures
#SocialEngineering
#C2Server
#CyberThreats
#AdvancedPersistentThreat
#APTGroup
#CyberDefense
#Infosec
#CyberAttack
#SecurityResearch
#DataBreach
#ThreatIntelligence
#CVE202421338
#Exploit
#Steganography
#DLLInjection
#Rootkit
#Shellcode
#HackingTools
#CyberEspionage
#ITSecurity
#NetworkSecurity
#DataProtection
#DigitalSafety
Lazarus Group Unleashes New Kaolin RAT Using Fake Job Lures
The North Korea-linked Lazarus Group has deployed a new remote access trojan (RAT) named Kaolin RAT, targeting individuals in the Asia region through sophisticated job offer lures. This advanced cyberattack represents a significant evolution in the group’s tactics, utilizing AI advancements and natural language processing to enhance their attack methods.
Attack Overview
The campaign, known as Operation Dream Job, involves sending fraudulent job offers via social media and messaging platforms. Targets are tricked into launching an ISO file containing malicious components, including a renamed Amazon VNC client executable that initiates the infection chain.
Technical Details
1. ISO File Contents:
• AmazonVNC.exe: Renamed legitimate application to sideload malicious DLL.
• version.dll and aws.cfg: Files used to inject and execute payloads.
2. Infection Chain:
• AmazonVNC.exe sideloads version.dll.
• version.dll injects payload from aws.cfg into IExpress.exe.
• The payload downloads shellcode from a compromised domain (henraux[.]com).
3. Malware Deployment:
• RollFling: Initial loader retrieving and executing RollSling.
• RollSling: Memory-resident loader executing RollMid.
• RollMid: Establishes contact with multiple C2 servers, using steganography to hide data within images.
4. Kaolin RAT Functions:
• Communicates with C2 servers.
• Performs file operations, process enumeration, and command execution.
• Downloads additional malicious components and alters file timestamps.
Advanced Capabilities
The Kaolin RAT paves the way for the deployment of the FudModule rootkit, which exploits an admin-to-kernel vulnerability (CVE-2024-21338) to gain kernel-level access and disable security mechanisms. This multi-stage attack sequence showcases the Lazarus Group’s ability to adapt and develop complex cyber tools, posing a significant challenge to cybersecurity defenses.
Implications
The use of AI and sophisticated attack vectors underscores the evolving threat landscape. Organizations must enhance their security measures, particularly in monitoring and responding to social engineering tactics that leverage advanced technologies.
Sources
• Vulnera
• The Network Company
