Rewterz Threat Update – Lazarus Group Utilizes Trojanized VNC Apps to Target Defense Experts with Fake Interviews

Severity

High

Analysis Summary

The North Korean APT group Lazarus (aka Hidden Cobra) has been detected using trojanized Virtual Network Computing (VNC) app versions to lure nuclear engineers and target the defense industry as part of their persistent campaign dubbed as Operation Dream Job.

Operation Dream Job alludes to a series of attacks organized by the North Korean APT group in which their potential targets are contacted through suspicious accounts using multiple different social media platforms like Telegram, LinkedIn, and WhatsApp by pretending to offer job opportunities in order to trick them into installing the malware.

“The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews. To avoid detection by behavior-based security solutions, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the Trojanized VNC client”, the researchers mentioned

When the malicious app is launched by the victim, it retrieves additional payloads that also includes a well-known Lazarus Group custom malware called LPEClient, which comes with the ability to profile infected hosts. Another deployed payload is an updated version of a backdoor called COPPERHEDGE, which is capable of running arbitrary commands, exfiltrating data, and performing system investigation. It also has a malware specially made for transferring files to a remote server.

Last month, Lazarus group was found to have targeted an unnamed aerospace company in Spain. The details of this attack disclosed that the employees of the company were contacted by the malicious actor who pretended to be a recruiter from Meta on LinkedIn and wanted to deliver an implant called LightlessCan.

Lazarus is just one of the many advanced persistent threat groups originating from North Korea. Another distinguished hacking group is APT37, also known as ScarCruft, which is part of the Ministry of State Security. This group has recently targeted a trading firm in Russia and North Korea by using an original phishing attack chain that delivered RokRAT malware.

Various threat groups are known to share code and tools, but North Korean threat groups continue to change and adapt accordingly to the cyber landscape and they also build custom tailored malware to use for different platforms, like Linux and macOS. There seems to be an increased interest in developing macOS malware in order to backdoor high value targets.

Impact

• Information Theft and Espionage
• Exposure to Sensitive Data

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies
• Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Keep software up-to-date: Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
• Monitor network traffic: Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
• Conduct regular security training: Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
• Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.