North Korean Hackers Targeting Jobseekers With New Trojan

Luring users with fake job adverts, the threat actor with ties to North Korea, Lazarus Group, released a new remote access trojan named as Kaolin RAT.

According to a report released last week by Avast security researcher Luigino Camastra, the virus has the ability to, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server."

By using a now-patched admin-to-kernel vulnerability in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8), the rootkit FudModule is delivered via the RAT. This allows it to get a kernel read/write primitive and eventually deactivate security protections.
These first access routes fool victims into opening a malicious optical disk image (ISO) file containing three files, one of which poses as an Amazon VNC client ("AmazonVNC.exe") but is actually a rebranded copy of the genuine Windows program "choice.exe."

Furthermore, the malware can list files, perform file operations, upload files to the C2 server, change the last modified date of a file, list, create, and end processes, run commands with cmd.exe, download DLL files from the C2 server, and establish a connection with any host.

"The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products," Camastra stated.

Source: The Hacker News