North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

April 25, 2024

The Lazarus Group, a North Korean threat actor, has been discovered using a new remote access trojan (RAT) named Kaolin RAT. This RAT is delivered through fabricated job offers, a tactic that the group has used before. The Kaolin RAT has the ability to change the last write timestamp of a selected file and load any received DLL binary from the command-and-control server, according to Luigino Camastra, a security researcher at Avast.

The Kaolin RAT serves as a conduit for the FudModule rootkit. This rootkit has been noticed exploiting a previously patched admin-to-kernel vulnerability in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to gain kernel read/write access and disable security mechanisms.

The Lazarus Group's Operation Dream Job campaign has a history of using various social media and instant messaging platforms to deliver malware. The targets are tricked into launching a malicious optical disc image (ISO) file that contains three files. One of these files pretends to be an Amazon VNC client, but is actually a renamed version of a legitimate Windows application. The other two files are named 'version.dll' and 'aws.cfg'.

The 'AmazonVNC.exe' executable is used to side-load 'version.dll', which spawns an IExpress.exe process and injects a payload from 'aws.cfg'. This payload is designed to download shellcode from a command-and-control domain, which is suspected to belong to an Italian company that has been hacked. The shellcode is used to launch RollFling, a DLL-based loader that retrieves and launches the next-stage malware named RollSling, which was disclosed by Microsoft last year in connection with a Lazarus Group campaign exploiting a critical JetBrains TeamCity flaw (CVE-2023-42793, CVSS score: 9.8).

RollSling is executed directly in memory to avoid detection by security software and triggers the execution of a third loader called RollMid, which is also run in the system's memory. RollMid prepares the system for the attack and establishes contact with a command-and-control server. Following this, the Kaolin RAT sets up communications with its command-and-control server and prepares for the deployment of the FudModule rootkit.

This malware can enumerate files, perform file operations, upload files to the command-and-control server, alter a file's last modified timestamp, enumerate, create, and terminate processes, execute commands using cmd.exe, download DLL files from the command-and-control server, and connect to an arbitrary host. 'The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products,' Camastra said. 'It is evident that they invested significant resources in developing such a complex attack chain...Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.