The North Korean hacker group known as Lazarus represents one of the most active collectives in the world.
To demonstrate this, a research by Kaspersky has exposed a disturbing new attack strategy used by these cybercriminals.
In fact, researchers discovered that Lazarus uses “Trojanized” versions of the apps Virtual Network Computing (VNC) to target the defense sector and some nuclear engineers. The campaign, known as Operation Dream Jobexploits social networks as vectors (LinkedIn, Telegram e WhatsApp) by offering fake job interviews.
According to Kaspersky “To avoid detection by behavior-based security solutions, this backdoor application works unobtrusively, activating only when the user selects a server from the drop-down menu of the trojanized VNC client“.
Once launched by the victim, the fake app is designed to fetch additional payloads, including a known malware linked to the Lazarus group called LPEClientequipped with functionality to profile compromised hosts.
A type of operation that is nothing new for Lazarus
According to the data collected, the campaign that uses VNC apps often tends to also distribute an updated version of COPPERHEDGEa backdoor known for arbitrary command execution and data exfiltration.
Through this latest backdoor, hackers seem to want to specifically target companies involved in the construction and management of weapons of war, such as radar, unmanned aerial vehicles, weapons and similar.
At the end of last month, ESET revealed details of a Lazarus Group attack targeting an unnamed aerospace company in Spain in which the company’s employees were approached by the threat actor posing as a recruiter for Meta are LinkedIn to provide a named facility LightlessCan.
This hacker collective is just one of many offensive programs originating in North Korea that have been linked to cyber espionage and theft for financial and other purposes.