North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

April 25, 2024

The Lazarus Group, a North Korean threat actor, has been discovered using a new remote access trojan (RAT) named Kaolin RAT. This RAT is delivered through fabricated job offers, a tactic that the group has used before. The Kaolin RAT has the ability to change the last write timestamp of a selected file and load any received DLL binary from the command-and-control server, according to Luigino Camastra, a security researcher at Avast.

The Kaolin RAT serves as a conduit for the FudModule rootkit. This rootkit has been noticed exploiting a previously patched admin-to-kernel vulnerability in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to gain kernel read/write access and disable security mechanisms.

The Lazarus Group's Operation Dream Job campaign has a history of using various social media and instant messaging platforms to deliver malware. The targets are tricked into launching a malicious optical disc image (ISO) file that contains three files. One of these files pretends to be an Amazon VNC client, but is actually a renamed version of a legitimate Windows application. The other two files are named 'version.dll' and 'aws.cfg'.

The 'AmazonVNC.exe' executable is used to side-load 'version.dll', which spawns an IExpress.exe process and injects a payload from 'aws.cfg'. This payload is designed to download shellcode from a command-and-control domain, which is suspected to belong to an Italian company that has been hacked. The shellcode is used to launch RollFling, a DLL-based loader that retrieves and launches the next-stage malware named RollSling, which was disclosed by Microsoft last year in connection with a Lazarus Group campaign exploiting a critical JetBrains TeamCity flaw (CVE-2023-42793, CVSS score: 9.8).

RollSling is executed directly in memory to avoid detection by security software and triggers the execution of a third loader called RollMid, which is also run in the system's memory. RollMid prepares the system for the attack and establishes contact with a command-and-control server. Following this, the Kaolin RAT sets up communications with its command-and-control server and prepares for the deployment of the FudModule rootkit.

This malware can enumerate files, perform file operations, upload files to the command-and-control server, alter a file's last modified timestamp, enumerate, create, and terminate processes, execute commands using cmd.exe, download DLL files from the command-and-control server, and connect to an arbitrary host. 'The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products,' Camastra said. 'It is evident that they invested significant resources in developing such a complex attack chain...Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts.'

Related News

• BianLian Threat Actors Utilize JetBrains TeamCity Vulnerabilities in Ransomware Assaults
• CISA Lists Windows Kernel Bug Exploited by Lazarus Group in its Known Exploited Vulnerabilities Catalog
• North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
• Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access
• Critical Authentication Bypass Vulnerability in TeamCity On-Premises Servers

Latest News

• Critical Vulnerability in Over 1,400 CrushFTP Servers Actively Exploited
• CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28
• Government Networks Worldwide Breached by ArcaneDoor Hackers Exploiting Cisco Zero-Days
• Urgent Call to Update: Exploited Zero-Day Vulnerability in CrushFTP Cloud Targets US Organizations
• Google Fixes Severe Chrome Vulnerability, CVE-2024-4058