October 18, 2023 at 11:03AM
The Lazarus Group, a North Korea-linked hacking organization, has been using trojanized versions of Virtual Network Computing (VNC) apps to target the defense industry and nuclear engineers. They trick job seekers on social media into opening malicious apps for fake job interviews. The malware operates discreetly to avoid detection and retrieves additional payloads, including known Lazarus Group malware. The campaign, known as Operation Dream Job, contacts potential targets on various platforms under the pretext of offering job opportunities. Other North Korean hacking groups, such as APT37 and ScarCruft, have also been involved in cyber espionage and financially motivated thefts.
Summary:
The meeting notes discuss a recent cyber attack carried out by the North Korea-linked Lazarus Group, also known as Hidden Cobra or TEMP.Hermit. The group has been using trojanized versions of Virtual Network Computing (VNC) apps to target the defense industry and nuclear engineers in a long-running campaign called Operation Dream Job. The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews. The backdoored application only activates when the user selects a server from the Trojanized VNC client’s drop-down menu, making it difficult to detect by behavior-based security solutions. The counterfeit app retrieves additional payloads, including a Lazarus Group malware called LPEClient, COPPERHEDGE backdoor, and a bespoke malware for transmitting files of interest to a remote server. The targets of the campaign are businesses involved in defense manufacturing, including radar systems, military vehicles, weaponry, and maritime companies. Lazarus Group is known for its cyber espionage and financially motivated thefts. Another North Korean hacking group, APT37 (aka ScarCruft), also targeted a trading company linked to Russia and North Korea using a novel phishing attack chain that delivered the RokRAT malware. There are overlaps in infrastructure, tooling, and targeting between different North Korean hacking outfits, making attribution challenging. There is an increased interest in developing macOS malware to backdoor platforms within the cryptocurrency and blockchain industries.