As part of its ongoing Operation Dream Job effort, the North Korea-affiliated Lazarus Group (also known as Hidden Cobra or TEMP.Hermit) has been seen employing trojanized Virtual Network Computing (VNC) programmes as enticements to target nuclear engineers and the defence sector.
In its APT trends report for Q3 2023, Kaspersky stated that “the threat actor tricks job seekers on social media into opening malicious apps for fake job interviews.”
“To avoid detection by behavior-based security solutions, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the trojanized VNC client.”
When used by the victim, the fake software is intended to retrieve further payloads, such as the LPEClient malware from the Lazarus Group, which has the ability to profile affected computers.
The adversary also launched an updated version of COPPERHEDGE, a backdoor known for executing arbitrary instructions, conducting system reconnaissance, and data exfiltration, as well as custom malware designed for sending important files to a remote server.
Businesses that are directly involved in the production of defence goods, such as those that manufacture radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, and weaponry, are the targets of the most recent campaign.
Operation Dream Job is a term used to describe a series of attacks carried out by a North Korean hacking group in which prospective targets are contacted by dubious users on various social media platforms, including WhatsApp, LinkedIn, and Telegram, under the pretence of offering them lucrative job opportunities in order to trick them into installing malware.
The Lazarus Group attacked an undisclosed aerospace company in Spain late this month, according to information released by ESET. Employees of the company were approached by a threat actor acting as a Meta recruiter on LinkedIn to distribute an implant known as LightlessCan.
Lazarus Group is just one of numerous hostile North Korean programmes that have been connected to cyber espionage and thefts with financial motives.
In contrast to other threat activity clusters, such as APT43 (also known as Kimsuky) and Lazarus Group (and its subgroups Andariel and BlueNoroff), which are connected to the Reconnaissance General Bureau (RGB), APT37 (also known as ScarCruft) is another well-known hacking group.
The evolution of North Korean threat activity in terms of adaptability and complexity was highlighted earlier this month by Google-owned Mandiant. “While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS,” the company said.
According to Kaspersky, ScarCruft targeted a business with ties to North Korea and Russia using a new phishing attack chain that resulted in the distribution of RokRAT (also known as BlueLight) malware, highlighting continuous efforts by the hermit state to harm Russia.
APT43, Andariel, APT38, and Lazarus Group are just a few examples of North Korean hacker groups that share infrastructure, tools, and targets. This complicates attribution attempts and suggests that antagonistic actions have been streamlined.
Additionally, there has been a “increased interest in the development of macOS malware to backdoor platforms of high value targets within the cryptocurrency and blockchain industries,” according to Mandiant.