The North Korea-linked Lazarus Group (aka Hidden Cobra or TEMP.Hermit) has been noticed utilizing trojanized variations of Digital Community Computing (VNC) apps as lures to focus on the protection business and nuclear engineers as a part of a long-running marketing campaign often known as Operation Dream Job.
“The menace actor tips job seekers on social media into opening malicious apps for pretend job interviews,” Kaspersky stated in its APT tendencies report for Q3 2023.
“To keep away from detection by behavior-based safety options, this backdoored utility operates discreetly, solely activating when the consumer selects a server from the drop-down menu of the Trojanized VNC consumer.”
As soon as launched by the sufferer, the counterfeit app is designed to retrieve extra payloads, together with a recognized Lazarus Group malware dubbed LPEClient, which comes fitted with capabilities to profile compromised hosts.
Additionally deployed by the adversary is an up to date model of COPPERHEDGE, a backdoor recognized for operating arbitrary instructions, performing system reconnaissance, and exfiltrating knowledge, in addition to a bespoke malware particularly meant for transmitting information of curiosity to a distant server.
Targets of the most recent marketing campaign comprise companies which can be instantly concerned in protection manufacturing, together with radar programs, unmanned aerial automobiles (UAVs), army automobiles, ships, weaponry, and maritime firms.
Operation Dream Job refers to a sequence of assaults orchestrated by the North Korean hacking outfit wherein potential targets are contacted through suspicious accounts through numerous platforms reminiscent of LinkedIn, Telegram, and WhatsApp below the pretext of providing profitable job alternatives to trick them into putting in malware.
Late final month, ESET revealed particulars of a Lazarus Group assault aimed toward an unnamed aerospace firm in Spain wherein staff of the agency have been approached by the menace actor posing as a recruiter for Meta on LinkedIn to ship an implant named LightlessCan.
Lazarus Group is simply one of many many offensive applications originating from North Korea which have been linked to cyber espionage and financially motivated thefts.
One other distinguished hacking crew is APT37 (aka ScarCruft), which is a part of the Ministry of State Safety, in contrast to different menace exercise clusters – i.e., APT43, Kimsuky, and Lazarus Group (and its sub-groups Andariel and BlueNoroff) – which can be affiliated with the Reconnaissance Basic Bureau (RGB).
“Whereas totally different menace teams share tooling and code, North Korean menace exercise continues to adapt and alter to construct tailor-made malware for various platforms, together with Linux and macOS,” Google-owned Mandiant disclosed earlier this month, highlighting their evolution when it comes to adaptability and complexity.
ScarCruft, per Kaspersky, focused a buying and selling firm linked to Russia and North Korea utilizing a novel phishing assault chain that culminated within the supply of RokRAT (aka BlueLight) malware, underscoring ongoing makes an attempt by the hermit kingdom to focus on Russia.
What’s extra, one other noticeable shift is the infrastructure, tooling, and focusing on overlaps between numerous North Korean hacking outfits like Andariel, APT38, Lazarus Group, and APT43, muddying attribution efforts and pointing to a streamlining of adversarial actions.
This has additionally been accompanied by an “elevated curiosity within the improvement of macOS malware to backdoor platforms of excessive worth targets inside the cryptocurrency and the blockchain industries,” Mandiant stated.