New malware CookiePlus targets nuclear sector workers

Yesterday

Kaspersky has revealed a new malware called CookiePlus, deployed by the North Korean hacker group Lazarus, which is targeting employees within nuclear, aerospace, and defence sectors.

The report from Kaspersky's Global Research and Analysis Team (GReAT) details this latest iteration of "Operation DreamJob", which has evolved over more than five years. CookiePlus is disguised as skill assessments for prominent defence and aerospace companies, threatening nuclear organisations with potential data theft and espionage.

Lazarus's campaign, known as "DeathNote", began in 2019 focusing initially on cryptocurrency businesses across Europe, Latin America, South Korea, and Africa. In 2024, the scope expanded, targeting IT and defence firms globally. The current report from Kaspersky highlights recent operations targeting nuclear organisation employees in Brazil and an undisclosed sector in Vietnam.

The Lazarus group has reportedly targeted at least two employees from a nuclear-related organisation over recent weeks. These individuals were sent multiple archive files falsely branded as IT skill assessments for aerospace and defence company positions. The group is believed to have used platforms like LinkedIn to deliver malicious content and gain entry to their victims.

According to Kaspersky, the malware employs a sophisticated multi-stage attack method. This starts with a trojanized VNC software that extracts and deploys successive malware stages through compromised archive files. The initial software, AmazonVNC.exe, decrypts a downloader to infiltrate internal resources. Subsequent archives contain additional malware designed to fetch further payloads.

Crucially, CookiePlus is a plugin-based backdoor that evades detection by disguising itself as an open-source Notepad++ plugin. Once operational, it gathers vital system information such as the computer name and process IDs before initiating its main functions. The malware can also adjust its activity timing, remain dormant before execution, and modify its configuration to evade security measures.

Sojun Ryu, a security expert at Kaspersky, commented, "There are substantial risks including data theft, as Operation DreamJob gathers sensitive system information that could be used for identity theft or espionage. The malware's ability to delay its actions allows it to evade detection at the moment of penetration and persist longer on the system. By setting specific execution times, it can operate at intervals that might avoid being noticed. Additionally, the malware could manipulate system processes, making it harder to detect and potentially leading to further harm or exploitation of the system."

Route of malicious files created on victims host

Additionally, they deployed an unseen plugin-based backdoor which GReAT experts dubbed CookiePlus. It was disguised as ComparePlus, an open-source Notepad++ plugin. Once established, the malware collects system data, including the computer name, process ID, and file paths, and makes its main module "sleep" for a set amount of time. It also adjusts its execution schedule by modifying a configuration file.

Share on: