Pierluigi Paganini August 14, 2020

Since January 2020, the North Korea-linked Lazarus APT has successfully compromised dozens of organizations in Israel and other countries.

The Israeli defence ministry announced on Wednesday that it had foiled a cyber attack carried out by a foreign threat actor targeting the country’s defence manufacturers.

According to the officials, the attack was launched by “an international cyber group called ‘Lazarus.’ The Lazarus APT is linked to North Korea, the activity of the Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The group has been linked to several major cyber attacks, including the 2014 Sony Pictures hack, several SWIFT banking attacks since 2016, and the 2017 WannaCry ransomware infection.

The Israeli statement did not explicitly refer to the government of Pyongyang and did not provide details about the attack (the targeted companies, data of the attack).

“The cyber-attacks were identified in real time, and thwarted,” the defence ministry told AFP. “no harm or disruption” was caused it added.

Recently Kaspersky experts reported that Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide.

Now researchers from security firm ClearSky provided their own version of the attack, they claimed that the North Korean hackers successfully compromised their targets.

The security firm revealed to have investigated during June-August of 2020 an offensive campaign tracked as Dream Job and attributed with high probability to North Korea. The campaign has been active since the beginning of the year and attackers infected several dozens of companies and organizations in Israel and globally.

The hackers targeted defense, governmental companies, and specific employees of those companies. 

“This campaign has been active since the beginning of the year and it succeeded, in our assessment, to infect several dozens of companies and organizations in Israel and globally. Its main targets include defense, governmental companies, and specific employees of those companies,” reads a report published by ClearSky. “We assess this to be this year’s main offensive campaign by the Lazarus group, and it embodies the sum of the group’s accumulative knowledge on infiltration to companies and organizations around the globe. In our estimation, the group operates dozens of researchers and intelligence personnel to maintain the campaign globally.”

The Dream Job comes from the social engineering technique used by the attackers that used fake LinkedIn accounts to contact potential victims and use job offerings from prominent defense and aerospace entities as bait.

The state-sponsored hackers spent weeks to establish contact with the victims and compromise their systems in the attempt of stealing sensitive data.

Attackers sent to the victims weaponized spear-phishing messages using a malicious attachment.

ClearSky detailed the offensive tools employed in the Dream Job campaign, below the three infection scenarios identified by the experts:

• Infection through a malicious PDF file in an open-source PDF reader, which was altered to fit the group’s needs. This is the first time this scenario is revealed publicly.
• Infection through a Dotm file, which is downloaded from a breached server, takes the place of the original file, and runs a malicious macro on the target
• Infection through a Doc file containing a malicious macro.

The report published by ClearSky includes technical details about the campaign.

Pierluigi Paganini

(SecurityAffairs – Dream Job, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]