The North Korea-linked criminal actor known as Lazarus Group has used its time-tested artificial lures to deliver a new remote access trojan called KAOLIN RAT.
The malware could, “in addition to standard RAT functionality, modify the last write timestamp of a selected file and load any DLL binary received from [command-and-control] server,” Avast security researcher Luigino Camastra said in a report published last week.
The RAT serves as a route to deliver the FudModule rootkit, which was recently observed leveraging a now-patched admin-to-kernel exploit in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to achieve a read/write kernel primitives and finally disable the security mechanisms.
The Lazarus Group’s use of job lures to infiltrate targets is nothing new. Dubbed Operation Dream Job, the long-running campaign has a proven track record of using various social media and instant messaging platforms to spread malware.
These initial access vectors trick targets into launching a malicious ISO (optical disc image) file containing three files, one of which masquerades as an Amazon VNC client (“AmazonVNC.exe”) which, in reality, is a renamed version of a Legitimate Windows client application named “choice.exe”.
The other two files are named “version.dll” and “aws.cfg”. The “AmazonVNC.exe” executable is used to sideload “version.dll”, which, in turn, spawns an IExpress.exe process and injects a payload into it that resides within “aws.cfg”.
The payload is designed to download shellcode from a command and control (C2) domain (“henraux[.]com”), which is suspected to be a real but hacked website belonging to an Italian company specializing in the extraction and processing of marble and granite.
While the exact nature of the shellcode is unclear, it is said to be used to launch RollFling, a DLL-based loader that serves to fetch and launch next-stage malware called RollSling, which was revealed by Microsoft last year in connection with a Lazarus Team Campaign exploiting a critical flaw in JetBrains TeamCity (CVE-2023-42793, CVSS Score: 9.8).
RollSling, executed directly in memory in a likely attempt to evade detection by security software, represents the next step in the infection procedure. Its main function is to trigger the execution of a third loader called RollMid, which also runs in the system’s memory.
RollMid comes with functionality to set the stage for the attack and establish contact with a C2 server, which involves a three-step process as follows:
- Communicate with the first C2 server to retrieve an HTML code containing the address of the second C2 server
- It communicates with the second C2 server to retrieve a PNG image that embeds a malicious component using a technique called steganography
- Transmit the data to the third C2 server using the address specified in the hidden data within the image
- Retrieve an additional Base64 encoded data blob from the third C2 server, i.e. Kaolin RAT
The technical sophistication behind the multi-step sequence, while undoubtedly complex and intricate, borders on excessive, Avast said, with the Kaolin RAT paving the way for the implementation of the FudModule rootkit after setting up communications with the C2 server of RAT.
Besides that, the malware is capable of enumerating files; perform file operations; upload files to the C2 server; alter the timestamp of the last modification of a file; enumerate, create, and terminate processes; run commands using cmd.exe; download DLL files from C2 server; and connect to an arbitrary host.
“The Lazarus group targeted individuals through fabricated job offers and used a sophisticated toolset to achieve improved persistence by bypassing security products,” Camastra said.
“It is clear that they have invested significant resources in developing such a complex attack chain. What is certain is that Lazarus has had to continuously innovate and allocate enormous resources to research various aspects of Windows security mitigations and products. Their capability to adapt and evolve poses a significant challenge to cybersecurity efforts.”