Lazarus Group Uses CookiePlus Malware to Target Nuclear Engineers

    Thursday, December 26, 2024 In: Threat Research Print

    Date: 12/26/2024

    Severity: Medium

    Summary

    The Lazarus Group, a threat actor linked to North Korea, targeted employees of a nuclear-related business using a sophisticated infection chain. The attacks, part of Operation Dream Job (also known as NukeSped), led to the installation of a new modular backdoor called CookiePlus. The group has been running this cyber espionage campaign since at least 2020, luring targets with fake job offers to distribute malware. In this latest attack, Lazarus used a trojanized VNC tool to conduct a skill evaluation under the guise of IT job assessments at aerospace and military companies, continuing its focus on nuclear engineers and supply chain attacks.

    Indicators of Compromise (IOC) List

    Hash

    cf8c0999c148d764667b1a269c28bdcb

80ab98c10c23b7281a2bf1489fc98c0d

4c4abe85a1c68ba8385d2cb928ac5646

00a2952a279f9c84ae71367d5b8990c1

5eac943e23429a77d9766078e760fc0b

0d17d477207d717f4e1be67e96c925aae473109d

1876e829b675e86e950f2e701ab9b2c4a56b4817

8edcd1d8d390d61587d334f4527e569a5bdf915c

57d60872a6239449116c9c609838906cec923ef5

2a900fbfdd65dafe6fadc4d5706e151c8b72230a

ba5f3bbe77eef8e730fde5f7ab493e4ed3d954b9fa70a234eda6fe3c2fc1d572

95dc085b0fea4a8d80df11ba1409a2df89ca97d980ba3dcf8e90d31e9d3fd533

6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d

f5873ecd60390e7b86db5ddaf158ed201b386be26ad80af8a7da3576446520b8

58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    md5hash IN ("4c4abe85a1c68ba8385d2cb928ac5646","cf8c0999c148d764667b1a269c28bdcb","00a2952a279f9c84ae71367d5b8990c1","80ab98c10c23b7281a2bf1489fc98c0d","5eac943e23429a77d9766078e760fc0b")

    Detection Query 2

    sha1hash IN ("2a900fbfdd65dafe6fadc4d5706e151c8b72230a","0d17d477207d717f4e1be67e96c925aae473109d","1876e829b675e86e950f2e701ab9b2c4a56b4817","8edcd1d8d390d61587d334f4527e569a5bdf915c","57d60872a6239449116c9c609838906cec923ef5")

    Detection Query 3

    sha256hash IN ("6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d","ba5f3bbe77eef8e730fde5f7ab493e4ed3d954b9fa70a234eda6fe3c2fc1d572","95dc085b0fea4a8d80df11ba1409a2df89ca97d980ba3dcf8e90d31e9d3fd533","f5873ecd60390e7b86db5ddaf158ed201b386be26ad80af8a7da3576446520b8","58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c")

    Reference: 

    https://www.rewterz.com/threat-advisory/lazarus-group-uses-cookieplus-malware-to-target-nuclear-engineers-active-iocs        


    Tags

    MalwareCyberEspionageNorth KoreaCookiePlusNuclear Reactors

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.