North Korea Trojanizing Open-Source Software
Lazarus Group Uses Social Engineering to Manipulate Victims to Download MalwareNorth Korea’s infamous Lazarus hacking group is using social engineering tactics to manipulate victims into downloading Trojanized open-source utilities in a bid to spy on the technology, defense and entertainment sectors worldwide.
See Also: A Matrix on Behavioral Biometrics and Device Fingerprinting
That warning comes from Microsoft, which says the threat prevention team for its LinkedIn professional social network detected North Korean hackers creating fake profiles for recruiters. The computing giant tracks the Lazarus Group as Zinc.
The campaign primarily targets engineers and technical support professionals working at media and information technology companies located in the United Kingdom, India and the United States. The malicious payload is the ZetaNile implant, also known as Blindingcan.
Whenever a Pyongyang hacker establishes some trust with a victim, the hacker attempts to move the conversation to WhatsApp, where it delivers malware, including corrupted versions of secure shell protocol utilities PuTTY and KiTTY, as compressed ZIP archives or ISO files. Threat intelligence firm Mandiant has also spotted North Korean hackers luring would-be job recruits into downloading PuTTY embedded into ISO files. As Mandiant says, from Windows 10 onward, double-clicking an ISO file automatically mounts it as a virtual disk drive.
The Cybersecurity and Infrastructure Security Agency and FBI have warned about the Blindingcan backdoor, which acts as a fully functional remote access Trojan. The malware is capable of retrieving information, manipulating processes and retrieving and modifying files. It has also been developed into a newer variant called CopperHedge.
Lazarus is infamous for using social engineering tactics as initial access vectors and has previously used fake LinkedIn job postings to lure users into downloading malicious payloads (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).
The Trojanized applications also include document readers Sumatra PDF Reader and muPDF/Subliminal Recording. Starting earlier this month, hackers also began sending out Trojanized versions of TightVNC Viewer, the open-source remote desktop software. The malicious TightVNC Viewer has a pre-populated list of remote hosts, and it's configured to install the backdoor only when the user selects certain remote host options in the list.