Agency (CISA) has published a new report[1] warning companies about
a new in-the-wild malware that North Korean hackers are reportedly
using to spy on key employees at government contracting companies.
Dubbed ‘BLINDINGCAN,’ the advanced remote access trojan
acts as a backdoor when installed on compromised computers.
According to the FBI and CISA, North Korean state-sponsored
hackers Lazarus
Group[2], also known as Hidden
Cobra[3], are spreading
BLINDINGCAN to “gather intelligence surrounding key military and
energy technologies.”
To achieve this, attackers first identify high-value targets,
perform extensive research on their social and professional
networks, and then pose as recruiters to send malicious documents
loaded with the malware, masquerading as job advertisements and
offerings.
are not new and were recently spotted[4] being used in another
similar cyber espionage campaign by North Korean hackers against
Israel’s defense sector.
“They built fake profiles on Linkedin, a social network that is
used primarily for job searches in the high-tech sector,” the
Israel Ministry of Foreign Affairs said.
“The attackers impersonated managers, CEOs and leading officials
in HR departments, as well as representatives of international
companies, and contacted employees of leading defense industries in
Israel, with the aim of developing discussions and tempting them
with various job opportunities.
“In the process of sending the job offers, the attackers
attempted to compromise the computers of these employees, to
infiltrate their networks and gather sensitive security
information. The attackers also attempted to use the official
websites of several companies in order to hack their systems.”
The CISA report says that attackers are remotely controlling
BLINDINGCAN malware through compromised infrastructure from
multiple countries, allowing them to:
- Retrieve information about all installed disks, including the
disk type and the amount of free space on the disk - Create, start, and terminate a new process and its primary
thread - Search, read, write, move, and execute files
- Get and modify file or directory timestamps
- Change the current directory for a process or file
- Delete malware and artifacts associated with the malware from
the infected system.
Cybersecurity companies Trend Micro and
ClearSky also
documented this campaign in a detailed report explaining:
[5][6]
“Upon infection, the attackers collected intelligence regarding the
company’s activity, and also its financial affairs, probably in
order to try and steal some money from it. The double scenario of
espionage and money theft is unique to North Korea, which operates
intelligence units that steal both information and money for their
country.”
According to this report, North Korean attackers did not just
contact their targets through email, but also conducted
face-to-face online interviews, mostly on Skype.
“Maintaining direct contact, beyond sending phishing emails, is
relatively rare in nation-state espionage groups (APTs); however,
as it will be shown in this report, Lazarus have adopted this
tactic to ensure the success of their attacks,” the researchers
said.
CISA has released technical information to aid in detection and
attribution, as well as recommended a variety of preventive
procedures to lower the possibility of this kind of attack
significantly.
References
- ^
report
(us-cert.cisa.gov) - ^
Lazarus Group
(thehackernews.com) - ^
Hidden Cobra
(thehackernews.com) - ^
spotted
(mfa.gov.il) - ^
Trend Micro
(www.mcafee.com) - ^
ClearSky
(www.clearskysec.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/JB6Eu-da80w/job-offer-hackers.html