ESET: Lazarus APT hit aero, defence sector with fake job ads

The Lazarus advanced persistent threat (APT) operation – which has been linked to the North Korean government – hit aerospace and defence contractors worldwide in a campaign that saw the threat actors abuse social networks and messaging platforms to access employees at their targets.

According to ESET Research, which presented the findings of its investigation at the ESET World Conference, the group abused LinkedIn and WhatsApp by posing as recruiters to approach unsuspecting employees at their targets, building trust and confidence before delivering malicious components disguised as job descriptions or application forms.

The campaign is linked to a previous series of attacks – dubbed Operation In(ter)caption – by a Lazarus-linked group back in 2020, which used similar techniques to target organisations in Brazil, Czechia, Qatar, Turkey and Ukraine.

The campaign began in the autumn of 2021 and ran until March 2022, targeting operations in France, Germany, Italy, the Netherlands, Poland, Spain, Ukraine and Brazil.

ESET assesses that Lazarus’s intent was to conduct espionage and steal funds, which is the usual modus operandi of threat actors working for the destitute North Korean regime. Fortunately, they said, the campaign was not very successful.

However, Lazarus did display some ingenuity in its campaign, said Jean-Ian Boutin, ESET director of threat research, who described how the group deployed a toolset that included a user-mode component which was able to exploit an already-vulnerable Dell driver to write to kernel memory.

“This advanced trick was used in an attempt to bypass security solutions monitoring,” said Boutin.

ESET said it was fairly clear the operation was mostly geared towards attacking European contractors, but by tracking the number of sub-groups running similar campaigns, they were able to establish that it was in fact much wider than that, and while the types of malware used often differed, the initial lure – the promise of a new job that never existed – remained the same throughout, perhaps reflecting how effective the technique is.

The researchers said it was particularly notable that Lazarus was adding hiring campaign elements that one might consider more legitimate, such as making approaches via LinkedIn, something most office-based employees can relate to. The use of messaging services such as WhatsApp or Slack lent the campaign more legitimacy.

Boutin said it was clear businesses and civilians are no longer the most common victims of malicious attacks, rather the public sector and linked contractors were at far greater risk, with the results of a successful intrusion potentially far more severe.

As already noted, one of Lazarus’s primary motives is to gather vital funds for the North Korean regime, and to this end much of its activity is centred on extortion or theft. Lately, it has focused particularly on the crypto realm, which lies outside the jurisdiction of the global financial system to some extent.

Earlier this year, Blender.io, a cryptocurrency mixer accused of helping Lazarus launder stolen funds, was sanctioned by the US Treasury Department.

Lazarus is thought to have funnelled $20.5m of money through Blender.io, which it stole from hacked accounts belonging to players of the non-fungible token-based Axie Infinity multiplayer game.

A March 2022 attack on the game’s maker, Sky Mavis, saw $600m in cryptocurrency stolen.

Leave a Reply

Your email address will not be published. Required fields are marked *