Kaolin RAT
The Lazarus Group, a cyber threat entity linked to North Korea, utilized familiar job-related traps to distribute a new Remote Access Trojan (RAT) named the Kaolin RAT during targeted attacks on specific individuals in the Asia region in the summer of 2023.
This malware, in addition to typical RAT functionalities, had the ability to modify the last write timestamp of a chosen file and load any provided DLL binary from a Command-and-Control (C2) server. The RAT served as a gateway to deploy the FudModule rootkit, which was recently observed using an admin-to-kernel exploit in the appid.sys driver (CVE-2024-21338) to gain a kernel read/write capability and subsequently disable security measures.
Table of Contents
Fake Job Offers Utilized as Lures for Deploying the Kaolin RAT
The Lazarus Group's utilization of job offer baits for infiltrating targets is a recurring strategy. Known as Operation Dream Job, this longstanding campaign employs various social media and instant messaging platforms to distribute malware.
In this scheme, initial access is gained by deceiving targets into opening an unsafe Optical Disc Image (ISO) file containing three files. One of these files poses as an Amazon VNC client ('AmazonVNC.exe') but is actually a renamed version of a legitimate Windows application called 'choice.exe.' The other two files, named 'version.dll' and 'aws.cfg,' serve as catalysts to initiate the infection process. Specifically, 'AmazonVNC.exe' is used to load 'version.dll,' which then spawns an IExpress.exe process and injects a payload stored within 'aws.cfg.'
A Complex Multi-Stage Attack Chain Infects the Compromised Devices
The payload is engineered to retrieve shellcode from a C2 domain ('henraux.com'), suspected to be a compromised website of an Italian company specializing in marble and granite processing.
Although the exact purpose of the shellcode remains unclear, it is reportedly used to initiate RollFling, a DLL-based loader designed to obtain and execute the subsequent-stage malware called RollSling. RollSling, previously identified by Microsoft in a Lazarus Group campaign exploiting a critical JetBrains TeamCity vulnerability (CVE-2023-42793), is executed directly in memory to avoid detection by security tools, representing the next phase of the infection process.
RollMid, another loader, is then deployed in memory, tasked with preparing for the attack and establishing communication with a C2 server through a series of steps:
- Contact the first C2 server to retrieve an HTML file containing the address of the second C2 server.
- Communicate with the second C2 server to retrieve a PNG image containing a harmful component concealed using steganography.
- Transmit data to the third C2 server using the hidden address from within the image.
- Fetch an additional Base64-encoded data blob from the third C2 server, which contains the Kaolin RAT.
The Lazarus Group Exhibit Significant Sophistication in the Kaolin RAT Attack
The technical sophistication behind the multi-stage sequence, while no doubt complex and intricate, borders on overkill. Researchers believe that the Kaolin RAT paves the way for the deployment of the FudModule rootkit after setting up communications with the RAT's C2 server.
In addition, the malware is equipped to enumerate files, carry out file operations, upload files to the C2 server, alter a file's last modified timestamp, enumerate, create, and terminate processes, execute commands using cmd.exe, download DLL files from the C2 server, and connect to an arbitrary host.
The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products. It is evident that they invested significant resources in developing such a complex attack chain. What is certain is that Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts.