Lazarus Group Uses Social Engineering to Manipulate Victims Into Downloading Malware
North Korea’s infamous Lazarus hacking group is using social engineering tactics to manipulate victims into downloading trojanized open source utilities in a bid to spy on the technology, defense and entertainment sectors worldwide.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
That warning comes from Microsoft, which says the threat prevention team for its LinkedIn professional social network detected North Korean hackers creating fake profiles for recruiters. The computing giant tracks the Lazarus Group as Zinc.
The campaign primarily targets engineers and technical support professionals working at media and information technology companies located in the United Kingdom, India, and the United States. The malicious payload is the ZetaNile implant, also known as Blindingcan.
Whenever a Pyongyang hacker establishes some trust with a victim, the hacker attempts to move the conversation to WhatsApp, where it delivers malware, including corrupted versions of secure shell protocol utilities PuTTY and KiTTY, as compressed ZIP archives or ISO files. Threat intelligence firm Mandiant has also spotted North Korean hackers luring would-be job recruits into downloading PuTTY embedded into ISO files. As Mandiant notes, from Windows 10 onwards, double-clicking an ISO file automatically mounts it as a virtual disk drive.
The Cybersecurity and Infrastructure Security Agency and FBI has warned about the Blindingcan backbdoor, which acts as a fully functional remote access Trojan. The malware is capable of retrieving information, manipulating processes, retrieving and modifying files. It has also been developed into a newer variant called CopperHedge.
Lazarus is infamous for using social engineering tactics as initial access vector and has previously used fake LinkedIn job postings to lure users into downloading malicious payloads (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).
The trojanized applications also include document readers Sumatra PDF and muPDF/Subliminal Recording. Starting earlier this month, hackers also began sending out trojanized versions of TightVNC Viewer, the open source remote desktop software.The malicious TightVNC Viewer has a pre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects certain remote host option in the list.