Attackers Offering Fake Malware Analysis Job Offers Targeting Security Researchers

Mandiant security researchers have recently identified a group of hackers which is believed to be from North Korea is actively seeking security researchers and media outlets with fake job proposals in the following regions:-

• The U.S.
• Europe

As a result, three different families of malware are deployed into the target’s environment. Using social engineering techniques, the threat actors persuade their targets to engage in a WhatsApp conversation with them.

In order to establish a foothold within the target’s corporate environment, a C++ malware payload called “PlankWalk” is dropped through this channel.

Campaign and Operators

Mandiant has been tracking the particular campaign since June 2022, the observed activity overlaps with “Operation Dream Job,” attributed to the North Korean cluster known as the “Lazarus group.”

In June 2022, the Mandiant team began to monitor the campaign on a continuous basis, and all these activities have been ongoing since then.

A North Korean cluster named Lazarus group has been attributed to this activity, which overlaps with “Operation Dream Job.”

While this campaign was associated with a separate group, Mandiant tracked the cluster as “UNC2970” since they observed significant differences in:-

• Tools
• Infrastructure
• Tactics

In addition, the attackers have used previously unknown malware known as:-

• TOUCHMOVE
• SIDESHOW
• TOUCHSHIFT

Previous targets of this group have been tech companies, media companies, and defense-related entities.

Gaining a Foothold Through Fake Job Offers

It is believed that the hackers began their attack by posing as job recruiters and approaching targets through LinkedIn.

The recruitment process was ultimately conducted through WhatsApp, where they sent a Word document that contained malicious macros in order to proceed further.

Some of the Word documents are altered to match the job descriptions they are promoting to their target audiences in an effort to make them look more professional.

Remote template injection is performed by the macros in the Word document. Using the compromised WordPress websites as a C&C (command and control center), the attacker downloads a TightVNC’s malicious version and this is done via remote template injection.

As part of Mandiant’s tracking system, this customized version of TightVNC is referred to as LidShift. An encrypted DLL will be loaded into the system’s memory via reflective DLL injection as soon as the program has been executed.

As a result of loading this file, the compromised system will be enumerated by a malware downloader named LidShot. This malware downloader will then deploy a malware boot loader that will establish a foothold on the device that is compromised.

Masquerading as Windows files & Binaries

A new, custom malware dropper is used by North Korean hackers during the post-exploitation phase of the attack, and it is known as “TouchShift.” While the TouchShift is designed to mimic the behavior of a legitimate Windows binary in order to carry out the attack.

There are then a number of illicit tools that TouchShift loads, including:-

• TouchShot: A screenshot utility
• TouchKey: A keylogger
• HookShot: A tunneller 
• TouchMove: A new loader
• SideShow: A new backdoor

There are 49 commands available in the new custom backdoor SideShow, which is the most interesting of the bunch. It is possible for an attacker to perform the following actions on the compromised system using these commands:-

• Arbitrary code execution
• Modify the registry
• Manipulate the firewall settings
• Add new scheduled tasks
• Execute additional payloads

Moreover, using the PowerShell scripts, threat actors have been also tracked deploying the “CloudBurst” malware to target organizations without VPNs.

Additionally, this tool masquerades itself as a legitimate Windows file, namely “mscoree.dll,” and has the function of enumerating the system. 

Exploiting zero-day to disable EDR tools

The Mandiant’s analysts discovered suspicious drivers in the log files of compromised systems, as well as an unusual DLL file (“_SB_SMBUS_SDK.dll”) when analyzing the logs.

An in-memory dropper known as LightShift had created these files, in response to another file that had been named “Share.DAT.”

There are multiple payloads loaded into the dropper from which it is possible to read and write arbitrary information from the kernel memory as long as the dropper loads an obfuscated payload named “LightShow.”

As a result of the payload’s function, the intruder is able to evade detection and exploit the EDR’s kernel routines. By creating fake social media profiles that resembled vulnerability researchers, North Korean hackers previously targeted security researchers involved in vulnerability research.

Recommendations

Here below we have mentioned all the recommendations:-

• Azure AD privileged access accounts should be limited to cloud-only accounts.
• Strengthen the measures of multi-factor authentication by enforcing them.
• There is a strong recommendation that organizations consider using a PIM solution to manage their information.
• CAPs should be used by organizations to restrict Azure administrative functions to only be available to compliant and registered devices in Azure Active Directory.
• Organizations should implement Azure Identity Protection.
• Multi Admin Approval should be implemented by organizations utilizing Intune in order to prevent unauthorized changes.
• Make sure to block Office Macros.
• Must disable Disk Image Auto-Mount
• In order to assist security engineers and investigators in detecting malicious activities, PowerShell logging should be increased.

Network Security Checklist – Download Free E-Book