In the summer of 2023, the Lazarus Group, a threat actor linked to North Korea, employed its well-known fabricated job lures to deliver a new remote access trojan (RAT) named Kaolin RAT. According to Avast security researcher Luigino Camastra, the malware, in addition to standard RAT functionality, can change the last write timestamp of a selected file and load any received DLL binary from the command-and-control server. The RAT serves as a pathway to deliver the FudModule rootkit, which recently utilized an admin-to-kernel exploit in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain kernel read/write access and disable security mechanisms. This attack, part of the long-running campaign dubbed Operation Dream Job, involves using various social media and instant messaging platforms to deliver malware. Targets are tricked into launching a malicious optical disc image (ISO) file containing three files. One of these files, disguised as an Amazon VNC client ("AmazonVNC.exe"), is actually a renamed version of a legitimate Windows application called "choice.exe." The other two files, "version.dll" and "aws.cfg," initiate the infection chain. The payload downloads shellcode from a command-and-control (C2) domain ("henraux[.]com"), believed to be a hacked website of an Italian company. This shellcode launches RollFling, a DLL-based loader that retrieves and launches the next-stage malware, RollSling. RollSling, executed directly in memory, triggers the execution of a third loader, RollMid, which communicates with multiple C2 servers and retrieves the Kaolin RAT. Avast noted the technical sophistication of the multi-stage attack sequence, suggesting it might be excessive. Kaolin RAT, once deployed, enables the FudModule rootkit installation and allows various malicious activities, including file manipulation, process enumeration, command execution, and DLL file downloads. Camastra emphasized Lazarus Group's significant investment in developing such a complex attack chain, posing a significant challenge to cybersecurity efforts.
Poland has joined Germany and Czech Republic in condemning alleged cyberattacks by a Russian group known as APT28. The Polish foreign ministry expressed solidarity with its neighbo...
Security researchers have discovered a new attack, named TunnelVision, that compromises the security of nearly all virtual private network (VPN) applications. This attack forces VP...
The Indian government has taken strong action against the cyber terror ecosystem by blocking 14 messenger mobile applications in Jammu & Kashmir. These apps, which include Crypvise...