Kaspersky discovers new CookiePlus malware

Kaspersky discovers new CookiePlus malware

Lazarus key operation – “Operation DreamJob” – continues to evolve with new sophisticated tactics that have persisted for more than five years, according to Kaspersky Global Research and Analysis Team. The latest targets include employees from a nuclear-related organization, who were infected via three compromised archive files appearing to be skill assessment tests for IT professionals.
This ongoing campaign leverages a range of advanced malware, including a newly discovered modular backdoor, CookiePlus, that was disguised as open-source plugin.
Kaspersky GReAT uncovered a new campaign linked to Operation DreamJob (also known as DeathNote), attributed to the Lazarus group. Initially targeting cryptocurrency businesses since 2019, the campaign expanded last year to the IT and defense sectors in Europe, Latin America, South Korea, and Africa.
Recently, Lazarus targeted employees at a nuclear-related organization in Brazil and an unidentified sector in Vietnam. Over a month, two employees received multiple archive files disguised as IT job assessments. The group evolved its delivery methods, using trojanized VNC software, including AmazonVNC.exe, to deploy malware like Ranid Downloader, MISTPEN, RollMid, and a new LPEClient variant.
They also introduced CookiePlus, a backdoor disguised as ComparePlus, a Notepad++ plugin. Once activated, CookiePlus collects system data and adjusts its execution schedule.