Kaolin RAT Linked to North Korean Lazarus Group APT
The Lazarus Group, associated with North Korea, utilized familiar tactics involving fake job offers to distribute a new remote access trojan (RAT) called Kaolin RAT during attacks aimed at specific individuals in Asia in the summer of 2023.
According to Avast security researcher Luigino Camastra, the RAT, aside from its standard functionalities, could modify file timestamps and load DLL binaries from a command-and-control (C2) server.
The RAT was used to introduce the FudModule rootkit, which exploited a patched admin-to-kernel vulnerability in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to gain kernel-level access and disable security measures.
The Lazarus Group's use of job offer baits to infiltrate targets is part of a campaign called Operation Dream Job, which has employed social media and instant messaging platforms to distribute malware over an extended period.
Malware Comes in Compromised ISO File
In this scheme, victims unwittingly launch a malicious optical disc image (ISO) file containing three files. One file, posing as an Amazon VNC client ("AmazonVNC.exe"), is actually a renamed version of a legitimate Windows application ("choice.exe"). The other files, "version.dll" and "aws.cfg," initiate the infection chain. "AmazonVNC.exe" loads "version.dll," which in turn launches a process to inject a payload from "aws.cfg."
The payload connects to a command-and-control (C2) domain ("henraux[.]com"), potentially a compromised website belonging to an Italian company. This payload downloads shellcode to initiate RollFling, a loader for the next-stage malware RollSling, linked previously to Lazarus Group activities exploiting a JetBrains TeamCity vulnerability (CVE-2023-42793, CVSS score: 9.8).
RollSling executes in memory to evade detection and initiates RollMid, a loader that contacts a series of C2 servers in a multi-step process to establish communications.
Ultimately, this sequence leads to the deployment of the Kaolin RAT and subsequently the FudModule rootkit, enabling a range of malicious activities such as file manipulation, process enumeration, command execution, and communication with external hosts.