Lazarus Group’s Deceptive Recruitment Tactics to Target Defense Specialists

The Lazarus Group, also known as Hidden Cobra or TEMP.Hermit has been observed employing trojanized Virtual Network Computing (VNC) applications for its ongoing Operation Dream Job campaign, targeting the defense industry and nuclear engineers.

The Lazarus Group is one of the most mysterious and malicious hacking gangs in the world! They can’t be touched because they’re protected by their president🌚and they’ve been on the radar for long so once u associate with them, you’ll be exposed!! If only Hushpapi knew! Hm

— Your Future Billionaire😏 (@t_remorni) May 27, 2023

Details about the Tactics

This threat actor attacks job seekers on social media platforms to engage with malicious applications under the offer of job interviews. 

This backdoored application remains inconspicuous to evade detection by behavior-based security systems, only activating when victims select a server from the Trojanized VNC client’s drop-down menu.

Once initiated by the unsuspecting victim, the counterfeit application is designed to fetch additional payloads, including the well-known Lazarus Group malware LPEClient, which can profile compromised hosts.

Lazarus on Rise Again!

The adversary also deploys an updated variant of COPPERHEDGE, a backdoor with a reputation for executing arbitrary commands, conducting system surveillance, and exfiltrating data. 

Additionally, custom-built malware is employed to transmit files of interest to a remote server.

The latest targets of Operation Dream Job include companies directly engaged in defense manufacturing, such as those dealing with radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry, and maritime enterprises.

Operation Dream Job denotes a series of orchestrated attacks by the North Korean hacking group, where potential victims are contacted through suspicious accounts on platforms like LinkedIn, Telegram, and WhatsApp. 

They are lured into installing malware under the guise of attractive job opportunities.

The Lazarus Group is just one of several offensive programs originating from North Korea associated with cyber espionage and financially motivated theft. APT37, APT43, and Kimsuky are some others.

Image description: Bitcoin lure document

There is an evident convergence in infrastructure, tooling, and targeting strategies among North Korean hacking entities, including Andariel, APT38, Lazarus Group, and APT43. 

Commitment to Cyber Security

The sophisticated tactics, methods, and techniques employed by threat actors are proof that the future of cyber security is all about being diligent 24/7. The incidents discussed in the news above is a reminder that we are never secure.

Resilience in the face of cyber-attacks!