North Korean state-sponsored cyber actors, known as Lazarus, are once again leveraging a job-themed attack vector to target job seekers in the energy and aerospace industry.
The attack chain, dubbed Operation Dream Job, begins with Lazarus approaching targets over email and WhatsApp pretending to be a recruiter from a prominent company. Once trust has been established, the target is sent a malicious ZIP archive file disguised as a job description.
The target is instructed to open the job description with the included PDF reader application called Sumatra PDF, which is a trojanized version of the legitimate application that executes a loader called BurnBook, in addition to displaying the job description as a lure. BurnBook will then execute MistPen, a lightweight C-based backdoor capable of downloading and executing files downloaded from threat actor-controlled infrastructure.
Victims of Lazarus’s latest campaign have been located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.
Source: The Hacker News
Analysis
Lazarus has a long track record of leveraging job-themed attack vectors in its malicious cyber campaigns. For example, in early September 2024, Lazarus was observed tricking potential job seekers into completing a malware-laced coding test.
The group was also observed using AI tooling to change one member's appearance during video interviews, duping cybersecurity company KnowBe4 into hiring the threat actor. Fortunately, the company caught on to the scam when the new employee installed malware on their company-issued laptop. KnowBe4 then contacted the FBI, who advised that the employee in question was a North Korean state-sponsored threat actor.
The targeting of individuals in the aerospace and energy sectors aligns with North Korea’s goal of obtaining information to help develop its nuclear energy and weapons programs. North Korea will likely continue engaging in malicious cyber activities as long as it maintains its ambition to develop these programs.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including Lazarus. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends scrutinizing job application invites sent via email, messaging services such as WhatsApp, and social media. Take into consideration that individuals reaching out could be fake, and always make efforts to verify the recruiter’s identity and association with the company they claim to represent.
Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles