Avast Threat Labs uncovered a Lazarus Group campaign targeting individuals with fabricated job offers, revealing a sophisticated attack chain culminating in the Kaolin RAT and the FudModule rootkit along with a 0-day Admin-to-Kernel exploit (CVE-2024-21338). The operation uses RollFling, RollSling, and RollMid loaders to execute in memory and communicate with multi-layer C2 servers, employing steganography and other evasion techniques. #LazarusGroup #KaolinRAT #RollFling #RollSling #RollMid #FudModule #CVE-2024-21338
Keypoints
- Avast identified a targeted campaign in Asia delivering fabricated job offers to lure victims.
- The attackers deployed a full attack chain ending with the Kaolin RAT and the FudModule rootkit, including a 0-day exploit (CVE-2024-21338) for the Windows driver.
- A previously undocumented Kaolin RAT was observed, capable of changing file timestamps and loading DLLs from C&C, and it loads FudModule via the chain.
- Initial access uses a malicious ISO disguised as a VNC tool, with sideloading of a DLL through a legitimate application to evade detection.
- The RollFling, RollSling, and RollMid loaders execute in memory, decrypt/load stages from a binary blob, and establish multi-layer C2 communications.
- The campaign employs TLS-like obfuscation and steganography to conceal data and C2 instructions, and Avast correlates shellcode delivery with loader activity.
MITRE Techniques
- [T1566.001] Phishing – Social engineering to present a fabricated job offer and establish rapport. Quote: “…the attacker initiates the attack by presenting a fabricated job offer to an unsuspecting individual, utilizing social engineering techniques to establish contact and build rapport.”
- [T1574.002] DLL Side-Loading – Sideloading The AmazonVNC.exe loads the malicious version.dll through the legitimate choice.exe application. Quote: “…the attacker attempts to send a malicious ISO file, disguised as VNC tool… The executable is used for sideloading, to load the malicious version.dll through the legitimate choice.exe application.”
- [T1082] System Information Discovery – The loader obtains the SMBIOS table via GetSystemFirmwareTable to derive a decryption key. Quote: “…acquires the SMBIOS table by utilizing the Windows API function GetSystemFirmwareTable.”
- [T1027] Obfuscated/Compressed Files and Information – Payloads are obfuscated (VMProtect) and decrypted/decompressed for execution. Quote: “The aws.cfg file, which is the next stage payload, is obfuscated by VMProtect.”
- [T1071.001] Web Protocols – RollMid uses HTTP requests via curl to communicate with C2 (GetHtmlFromUrl/GetImageFromUrl). Quote: “the RollMid loader employs HTTP requests as its preferred method of communication… GetHtmlFromUrl”
- [T1027] Steganography – Data hidden inside images during multi-layer C2 communication. Quote: “the attackers employ steganography to conceal crucial data for use in the next execution phase.”
- [T1055] Process Injection – Binaries are loaded and executed in memory (RollSling/RollMid) as part of the in-memory execution chain. Quote: “RollSling loader is executed in memory… The third loader RollMid which is also executed in the computer’s memory.”
Indicators of Compromise
- [Hash] ISO – b8a4c1792ce2ec15611932437a4a1a7e43b7c3783870afebf6eae043bcfade30
- [Hash] RollFling – a3fe80540363ee2f1216ec3d01209d7c517f6e749004c91901494fb94852332b
- [Hash] NLS files – 01ca7070bbe4bfa6254886f8599d6ce9537bafcbab6663f1f41bfc43f2ee370e, 7248d66dea78a73b9b80b528d7e9f53bae7a77bad974ededeeb16c33b14b9c56
- [Hash] RollSling – e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f, f47f78b5eef672e8e1bd0f26fb4aa699dec113d6225e2fcbd57129d6dada7def
- [Hash] RollMid – 9a4bc647c09775ed633c134643d18a0be8f37c21afa3c0f8adf41e038695643e
- [Hash] Kaolin RAT – a75399f9492a8d2683d4406fa3e1320e84010b3affdff0b8f2444ac33ce3e690