The North Korea-linked Lazarus Group (aka Hidden Cobra or TEMP.Hermit) has been noticed utilizing trojanized variations of Digital Community Computing (VNC) apps as lures to focus on the protection trade and nuclear engineers as a part of a long-running marketing campaign often called Operation Dream Job.
“The menace actor methods job seekers on social media into opening malicious apps for faux job interviews,” Kaspersky stated in its APT developments report for Q3 2023.
“To keep away from detection by behavior-based safety options, this backdoored utility operates discreetly, solely activating when the person selects a server from the drop-down menu of the Trojanized VNC shopper.”
As soon as launched by the sufferer, the counterfeit app is designed to retrieve further payloads, together with a identified Lazarus Group malware dubbed LPEClient, which comes fitted with capabilities to profile compromised hosts.
Additionally deployed by the adversary is an up to date model of COPPERHEDGE, a backdoor identified for operating arbitrary instructions, performing system reconnaissance, and exfiltrating information, in addition to a bespoke malware particularly meant for transmitting information of curiosity to a distant server.
Targets of the most recent marketing campaign comprise companies which can be immediately concerned in protection manufacturing, together with radar methods, unmanned aerial automobiles (UAVs), navy automobiles, ships, weaponry, and maritime corporations.
Operation Dream Job refers to a collection of assaults orchestrated by the North Korean hacking outfit wherein potential targets are contacted by way of suspicious accounts by way of numerous platforms akin to LinkedIn, Telegram, and WhatsApp below the pretext of providing profitable job alternatives to trick them into putting in malware.
Late final month, ESET revealed particulars of a Lazarus Group assault aimed toward an unnamed aerospace firm in Spain wherein staff of the agency had been approached by the menace actor posing as a recruiter for Meta on LinkedIn to ship an implant named LightlessCan.
Lazarus Group is simply one of many many offensive applications originating from North Korea which were linked to cyber espionage and financially motivated thefts.
One other distinguished hacking crew is APT37 (aka ScarCruft), which is a part of the Ministry of State Safety, not like different menace exercise clusters – i.e., APT43, Kimsuky, and Lazarus Group (and its sub-groups Andariel and BlueNoroff) – which can be affiliated with the Reconnaissance Normal Bureau (RGB).
“Whereas completely different menace teams share tooling and code, North Korean menace exercise continues to adapt and alter to construct tailor-made malware for various platforms, together with Linux and macOS,” Google-owned Mandiant disclosed earlier this month, highlighting their evolution by way of adaptability and complexity.
ScarCruft, per Kaspersky, focused a buying and selling firm linked to Russia and North Korea utilizing a novel phishing assault chain that culminated within the supply of RokRAT (aka BlueLight) malware, underscoring ongoing makes an attempt by the hermit kingdom to focus on Russia.
What’s extra, one other noticeable shift is the infrastructure, tooling, and concentrating on overlaps between numerous North Korean hacking outfits like Andariel, APT38, Lazarus Group, and APT43, muddying attribution efforts and pointing to a streamlining of adversarial actions.
This has additionally been accompanied by an “elevated curiosity within the growth of macOS malware to backdoor platforms of excessive worth targets throughout the cryptocurrency and the blockchain industries,” Mandiant stated.
