Dubbed 'BLINDINGCAN,' the advanced remote access trojan acts as a backdoor when installed on compromised computers.
According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group, also known as Hidden Cobra, are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies."
To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings.
However, such employment scams and social engineering strategies are not new and were recently spotted being used in another similar cyber espionage campaign by North Korean hackers against Israel's defense sector.
"They built fake profiles on Linkedin, a social network that is used primarily for job searches in the high-tech sector," the Israel Ministry of Foreign Affairs said.
"The attackers impersonated managers, CEOs and leading officials in HR departments, as well as representatives of international companies, and contacted employees of leading defense industries in Israel, with the aim of developing discussions and tempting them with various job opportunities.
"In the process of sending the job offers, the attackers attempted to compromise the computers of these employees, to infiltrate their networks and gather sensitive security information. The attackers also attempted to use the official websites of several companies in order to hack their systems."
The CISA report says that attackers are remotely controlling BLINDINGCAN malware through compromised infrastructure from multiple countries, allowing them to:
- Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
- Create, start, and terminate a new process and its primary thread
- Search, read, write, move, and execute files
- Get and modify file or directory timestamps
- Change the current directory for a process or file
- Delete malware and artifacts associated with the malware from the infected system.
Cybersecurity companies Trend Micro and ClearSky also documented this campaign in a detailed report explaining:
"Upon infection, the attackers collected intelligence regarding the company's activity, and also its financial affairs, probably in order to try and steal some money from it. The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country."
According to this report, North Korean attackers did not just contact their targets through email, but also conducted face-to-face online interviews, mostly on Skype.
"Maintaining direct contact, beyond sending phishing emails, is relatively rare in nation-state espionage groups (APTs); however, as it will be shown in this report, Lazarus have adopted this tactic to ensure the success of their attacks," the researchers said.
CISA has released technical information to aid in detection and attribution, as well as recommended a variety of preventive procedures to lower the possibility of this kind of attack significantly.