Infosec biz F-Safe has uncovered a North Korean phishing marketing campaign that focused a sysadmin with a faux Linkedin job advert utilizing a Normal Knowledge Safety Regulation (GDPR) themed lure.
The sysadmin labored for a cryptocurrency enterprise, mentioned the risk intel agency, which made him a ripe goal for the money-hungry state hackers Lazarus Group, aka APT38, supposedly backed by North Korea.
“Our analysis, which included insights from our incident response, managed detection and response, and tactical defence models, discovered that this assault bears numerous similarities with recognized Lazarus Group exercise, so we’re assured they have been behind the incident,” mentioned F-Safe’s director of detection and response, Matt Lawrence.
North Korean attackers focused “organizations within the cryptocurrency vertical” primarily based in Britain, the US, the Netherlands, Germany, Singapore, Japan, and a minimum of eight different nations, mentioned F-Safe.
The preliminary lure was a malware-infected file despatched as an attachment to a LinkedIn message, urging the sysadmin recipient to open it for particulars of an thrilling new job. As soon as opened, the file displayed this:
The GDPR-themed lure deployed by North Korea’s Lazarus Group
“As could be seen within the [above] picture, the malicious model of the doc claimed to be protected by Normal Knowledge Safety Regulation (GDPR) and that content material wanted to be enabled in Phrase to entry the doc. The enablement of content material would then consequence within the malicious embedded macro code to execute,” mentioned F-Safe.
Malicious recordsdata downloaded after the macro was run bore similarities to earlier APT38 instruments uncovered by Russia’s Kaspersky Lab in 2016.
“Lazarus Group invested vital effort to evade the goal group’s defences in the course of the assault, corresponding to by disabling anti-virus software program on the compromised hosts, and eradicating proof of their malicious implants. And whereas the report describes the assault as subtle, it factors out Lazarus Group’s efforts to cover their presence weren’t sufficient to stop F-Safe’s investigation from recovering proof of their actions,” mentioned F-Safe in a canned assertion.
Lazarus Group is well-known for focusing on monetary establishments to be able to siphon a refund to North Korea, whose financial system has stagnated for many years underneath Western-led sanctions meant to influence the Communist dictatorship to not develop nuclear weapons.
In 2014 the state-backed hackers focused Sony Footage, stealing delicate inner recordsdata; in 2016 they stole $81m from a Bangladeshi financial institution; a 12 months later it was revealed they have been focusing on every little thing from casinos to software program devs engaged on monetary software program; and final 12 months they went fully past the pale by deploying in-memory malware for macOS. The group can also be thought to have been behind the Wannacry malware that briefly crippled Britain’s Nationwide Well being Service.
The crew is well-known for utilizing social engineering lures to deploy its malware, in addition to for leaving such apparent clues to their identification that infosec researchers often marvel in the event that they’re seeing a false flag assault. ®