This is a trojanized version of TightVNC.[^1] It was believed to be distributed from ISO and ZIP files.[^2] Executing the AmazonVNC.exe file prompts the user for an IP address and password mentioned in a readme.txt file.[^1] Then a downloader, Ranid, within the binary is decrypted and loaded into memory.[^1]
Backlinks
[[Encryption]]
IP Addresses
[[Operation Dream Job]]
Sources
[1] T. H. News, “Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware,” The Hacker News. Accessed: Jan. 01, 2025. [Online]. Available: https://thehackernews.com/2024/12/lazarus-group-spotted-targeting-nuclear.html