The infamous group, linked to North Korea, has been busy with fake job ads/social media weaponization between 2021 and 2022.
In 2021, the US Department of Justice charged three IT programmers for cyberattacks as they were working for the North Korean military and were deemed to belong to the North Korean military hacker unit known in the info-security community as Lazarus Group.
Since then, continual research into the APT group’s activities by ESET have led to new insights into their agendas and plans.
According to telemetry used in the firm’s analyses, Lazarus had been targeting firms in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil) in 2021–2022 and not just focused on cyber espionage but also on mercenary goals to exfiltrate money (unsuccessfully).
Other findings include:
- The group had been ingenious in deploying an interesting toolset, including for example a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring.
- As early as 2020, a sub-group of Lazarus had been targeting European aerospace and defense contractors using social media, especially LinkedIn, to build trust with unsuspecting employees before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted. The action was not only geared towards attacking European firms but defense contractors beyond the region. While the malware used in the various campaigns were different, the initial modus operandi always involved a fake job recruiter contacting an employee through LinkedIn and eventually sending the latter malicious components.
- Additionally, the group had used messaging services such as WhatsApp or Slack in their malicious campaigns and even reused legitimate hiring-campaign elements to add legitimacy to their fake recruiters campaigns