The Lazarus Group, a North Korea-linked cyber threat actor, also known as Hidden Cobra or TEMP.Hermit, has been identified using trojanized versions of Virtual Network Computing (VNC) applications to lure individuals within the defense industry and nuclear engineering fields. This ongoing campaign, referred to as Operation Dream Job, involves tricking job seekers on social media into opening malicious apps for fake job interviews, according to Kaspersky’s APT trends report for Q3 2023.
To evade detection by behavior-based security solutions, the compromised application operates discreetly, activating only when the user selects a server from the Trojanized VNC client’s drop-down menu. Once launched by the victim, the counterfeit app is designed to fetch additional payloads, including the Lazarus Group’s well-known LPEClient malware, which possesses capabilities for profiling compromised hosts.
The adversary also deploys an updated version of COPPERHEDGE, a backdoor known for executing arbitrary commands, performing system reconnaissance, and exfiltrating data. Additionally, a custom malware variant is used to transmit files of interest to a remote server.
The primary focus of this campaign revolves around targeting companies involved in defense manufacturing, encompassing areas like radar systems, unmanned aerial vehicles (UAVs), military vehicles, naval vessels, arms production, and maritime enterprises.
Operation Dream Job is a series of attacks by the Lazarus Group, wherein potential targets are contacted through suspicious accounts on platforms like LinkedIn, Telegram, and WhatsApp. The threat actors pose as recruiters offering lucrative job opportunities to deceive victims into installing malware.
In a recent revelation, ESET disclosed details of a Lazarus Group attack on an undisclosed aerospace company in Spain. The threat actors posed as Meta recruiters on LinkedIn and delivered an implant named LightlessCan.
The Lazarus Group is just one of many North Korean offensive programs known for cyber espionage and financially motivated thefts. Another prominent hacking group is APT37, also known as ScarCruft, which is affiliated with the Ministry of State Security, unlike other North Korean threat activity clusters. These include APT43, Kimsuky, Lazarus Group, and its sub-groups Andariel and BlueNoroff, which are associated with the Reconnaissance General Bureau.
North Korean threat activity continues to evolve and adapt, creating tailored malware for different platforms, including Linux and macOS. Moreover, there has been an increased focus on developing macOS malware for backdooring high-value targets within the cryptocurrency and blockchain industries.
This evolution in adaptability and complexity among North Korean threat actors has blurred attribution and highlighted a convergence of infrastructure, tooling, and targeting across various hacking outfits, including Andariel, APT38, Lazarus Group, and APT43.
CyberSec84 | Cybersecurity news. 
Leave a comment