North Korean Hackers Find Value in LinkedInGroup Lures Victims Into Opening Phishing Payload Disguised as Job-Related Info
Business social media platform LinkedIn continues to pay dividends for North Korean hackers, including one group historically concentrated on South Korean targets that has expanded into pursuing security researchers and media industry workers in the West.
A Pyongyang group tracked by Google threat intelligence unit Mandiant as UNC2970 masquerades as recruiters on LinkedIn in a bid to entice victims into opening a phishing payload disguised as a job description or skills assessment.
The phishing payloads are mainly Microsoft Word documents embedded with macros to perform remote-template injection to pull down and execute a payload from a remote command-and-control server - typically compromised WordPress sites, Mandiant writes. The UNC2970 operation it identifies, which has been active since June 2022, overlaps with fake job recruiting activity publicly identified as Operation Dream Job by companies including Google's Threat Analysis Group, Proofpoint and ClearSky.
North Korean hacking is conducted under close state supervision, but Mandiant asserts that attribution to the hermit kingdom should be more nuanced than lumping together all activity as "Lazarus Group." North Korea preserves flexibility and resilience by maintaining different hacking units even if they overlap in infrastructure, malware and tactics.
The latest campaign begins with the attackers posing as job recruiters mimicking legitimate media organization such as The New York Times to establish contact with their victims. Mandiant discovered the campaign after it had detected a phishing campaign aimed at an unidentified U.S. technology company.
The hackers coax victims to shift the conversation from LinkedIn to WhatsApp and further trick their targets into downloading a malicious zipped file. The LinkedIn accounts are "well designed and professionally curated to mimic the identities of the legitimate users," Mandiant says.
When the victims enable the file, the malicious application downloads malware dubbed LidShift, which then downloads the malware command and controller. The hackers then load several other malware variants to establish a network foothold, perform keylogging, and attempt to communicate with the command-and-control servers.
In at least one case, the threat actors used Microsoft's endpoint management service InTune to deploy malware to hosts in the environment. UNC2970 used the Microsoft Intune management extension to upload custom PowerShell scripts containing malicious code to various hosts in the client environment. The PowerShell script was used to decode malware Mandiant tracks as Cloudburst and sideload it by making it appear as a legitimate Windows binary.