Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

North Korean Hackers Wage Job-Themed Spear-Phishing Attacks

ClearSky: Operation 'DreamJob' Lures Defense Workers With Fake Job Opportunities
North Korean Hackers Wage Job-Themed Spear-Phishing Attacks
Operation 'DreamJob' lures defense workers into downloading malware with fake job opportunities. (Illustration: ClearSky)

Hackers with suspected ties to North Korea's government are conducting a cyber espionage campaign that’s circulating "job opportunity" spear-phishing emails targeting employees of defense contractors, according to the security firm ClearSky.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The campaign, dubbed "DreamJob," is based on a fake LinkedIn profile that purports to belong to a job recruiter from a prominent defense firm. The researchers say the fraudsters likely spent months creating the profile and then courting the victims.

The cyberespionage operation has been active since January, but the ClearSky research team reports seeing a spike in activity from June through August.

ClearSky says the attacks appear to be tied to the Lazarus Group, also known as Hidden Cobra or APT37. The advanced persistent threat group is believed to be affiliated with the North Korean government. ClearSky says code found in the current malware is similar to that found in other attacks known to be conducted by Lazarus.

"We assess this to be this year's main offensive campaign by the Lazarus Group, and it embodies the sum of the group’s accumulative knowledge on infiltration to companies and organizations around the globe,” the report states. “In our estimation, the group has dozens of researchers and intelligence personnel to maintain the campaign globally.”

Over the past several years, the Lazarus Group has been tied to a series of financial cybercrimes and cyberespionage campaigns designed to benefit the North Korean government (see: North Korean Hacking Infrastructure Tied to Magecart Hits).

Attack Tactics

In the latest campaign, the attackers likely took weeks or months to create the fake LinkedIn persona used to approach the victim, the report states. This includes a fictitious LinkedIn account that is stocked with followers known to the victim. In some cases, a fraudulent LinkedIn account is lifted from an actual recruiter at a defense contractor, such as Boeing or Lockheed-Martin, according to the report.

The "recruiter" then reaches out with LinkedIn direct messages and begins chatting with victims over an extended period of time about a possible job opportunity, the researchers say. Once communications are established on LinkedIn, the attacker moves the discussion to WhatsApp or the target's personal email account to create an air of discretion, the report states.

If the victim agrees to view the job offer details, they are sent a file stored in a DropBox or OneDrive account. The attackers then attempt to persuade the victim to download the file, which includes malware, at their workplace.

"They do so by studying his daily routine and sending the file at a carefully selected time," the report notes. For this exchange, the attacker uses the target's corporate email account.

Once a victim accesses a document from the online storage site, the attackers "go ghost," ceasing all communications and deleting the LinkedIn profile used to initiate contact, the report states.

The researchers say the malware is embedded in a malicious PDF, DOC or DOTM file, which installs a LNK file that then drops three additional files. One file is bait, one is for persistence and the third is a Dynamic Link Library file that drops a remote access Trojan. The malicious files are then installed to gain access is to the target computer; the malware then moves laterally through the network.

The malware gathers information for espionage as well as financial operations, such as business email compromise fraud, the report states.

"During our investigation, we observed that the attackers searched financial-related keywords in the infected machines - which means that also in this attack, a financial motivation has also influenced the group’s activities," the report states.

Old Tricks

ClearSky researchers say the campaign may be associated with similar activity uncovered by ESET and McAfee (see: North Korean Hackers Targeted US Aerospace, Defense Firms).

The Lazarus Group also is suspected to be behind Operation Sharpshooter, a campaign that targeted nuclear, defense, energy and financial companies, according to McAfee.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.