Kaspersky’s GReAT uncovered a new campaign linked to Operation DreamJob (also known as DeathNote), attributed to the Lazarus group.
Initially targeting cryptocurrency businesses since 2019, the campaign expanded in last year to IT and defense sectors in Europe, Latin America, South Korea, and Africa. Recently, Lazarus targeted employees at a nuclear-related organization in Brazil and an unidentified sector in Vietnam. Over a month, two employees received multiple archive files disguised as IT job assessments.
The group evolved its delivery methods, using trojanized VNC software, including AmazonVNC.exe, to deploy malware like Ranid Downloader, MISTPEN, RollMid, and a new LPEClient variant. They also introduced CookiePlus, a backdoor disguised as ComparePlus, a Notepad++ plugin. Once activated, CookiePlus collects system data and adjusts its execution schedule.
“There are substantial risks including data theft, as Operation DreamJob gathers sensitive system information that could be used for identity theft or espionage. The malware’s ability to delay its actions allows it to evade detection at the moment of penetration and persist longer on the system. By setting specific execution times, it can operate at intervals that might avoid being noticed. Additionally, the malware could manipulate system processes, making it harder to detect and potentially leading to further harm or exploitation of the system,” comments Sojun Ryu, security experts at Kaspersky’s Global Research and Analysis Team.
