ESET Research: Lazarus attacks aerospace and defense contractors worldwide while misusing LinkedIn and WhatsApp

Over the course of the annual ESET World conference, ESET researchers have been presenting a new investigation into the infamous Lazarus APT Group and their attack on defense contractors around the world between late 2021 and March 2022.

· Since the beginning of this campaign, according to ESET Telemetry the targets were in Europe (France, Italy, Spain, Czech Republic, the Netherlands, Poland, and Ukraine), the Middle East (Turkey, Qatar) and Latin America (Brazil).

· For fake recruiting campaigns, they used services such as LinkedIn and WhatsApp.

· The U.S. government alleges Lazarus is linked to the North Korean government.

During the annual ESET World conference, ESET researchers have been presenting about a new investigation into the infamous Lazarus APT group. Director of ESET Threat Research, Jean-Ian Boutin, went over various new campaigns perpetrated by the Lazarus group against defense contractors around the world between late 2021 and March 2022.

In the relevant 2021-2022 attacks, and according to ESET telemetry, Lazarus has been targeting companies in Europe (France, Italy, Spain, the Netherlands, Poland, and Ukraine) and Middle East (Turkey).

Despite the primary aim of this Lazarus operation being cyber-espionage, the group has also worked to exfiltrate money (unsuccessfully). “The Lazarus threat group showed ingenuity by deploying an interesting toolset, including, for example, a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring,” says Jean-Ian Boutin.

As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defense contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted.

ESET researchers believed that the action was mostly geared toward attacking European companies, but through tracking a number of Lazarus sub-groups performing similar campaigns against defense contractors, they soon realized that the campaign extended much wider. While the types of malware used in the various campaigns were different, the initial modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee through LinkedIn and eventually sent malicious components.

In this regard, they’ve continued with the same M.O. as in the past. However, ESET researchers have also documented the reuse of legitimate hiring campaign elements to add legitimacy to their fake recruiters’ campaigns. Additionally, the attackers have used services such as WhatsApp or Slack in their malicious campaigns.

Fake recruiting campaign by Lazarus

In 2021, the U.S. Department of Justice charged three IT programmers for cyberattacks, alleging they were working for the North Korean military. The U.S. government claimed they belonged to the North Korean military hacker unit known in the infosec community as Lazarus Group. The criminal charges are unlikely to ever reach adjudication in any US court, because the three individuals are located in North Korea.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s