North Korea Has Been Hacking People Using 'Job Offer That’s Too Good To Be True'

31/07/2020

In an investigation by McAfee Advanced Threat Research (ATR), it was found that North Korean actors have been actively posing as recruiters in hopes of infiltrating the networks of aerospace and defense companies in other countries.

The researchers claimed that the months-long spying campaign was also purportedly made to spread malware across the U.S. and Europe.

While the researchers have yet to find the success of the campaign, but they suspected that the attackers have been targeting potential victims using malicious emails with Microsoft Word documents as attachments, packed with alluring career opportunities involving active defense contracts.

"The victimology of these campaigns is not clear at this time, however based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents," the report said.

On their report, the researchers at McAfee warned that the goal of this malicious campaign is to plant malware, which makes it possible for the attacker to extract even more data.

North Korea hackers pose as recruiters to offer jobs to victims
Credit: McAfee
"We are in the midst of an economic slump, with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the more capable threat actors have also used this crisis as an opportunity to hide in plain sight."

This isn't the first time that North Korea has targeted victims in numerous countries with fake job offers.

Back in 2017, a similar campaign was launched by using lure documents with job postings from leading defense contractors. Then in 2019, a criminal complaint from the Department of Justice implicated that state-sponsored actors attempted to breach the American aerospace and defense firm Lockheed Martin using the same method.

The trick didn’t work at that time, but as the researchers have demonstrated, North Korean hackers aren't giving up.

With the method has gotten public exposure, the North Koreans are not any less willing to use that same job-recruitment ploy as their method of attack.

These two incidents have been attributed to the threat actor group known as Hidden Cobra, an umbrella term used to refer to threat groups attributed to North Korea by the U.S Government

Hidden Cobra consists of threat activity from groups the industry labels as Lazarus, Kimsuky, KONNI and APT37.

North Korea hackers pose as recruiters to offer jobs to victims
Credit: McAfee
"The Techniques, Tactics and Procedures (TTPs) of the 2020 activity are very similar to those previous campaigns operating under the same modus operandi that we observed in 2017 and 2019. From our analysis, this appears a continuation of the 2019 campaign, given numerous similarities observed. These similarities are present in both the Visual Basic code used to execute the implant and some of the core functionality that exists between the 2019 and 2020 implants."

About the content of the email scam, the hackers are said to have copied and pasted job descriptions found on some defense contractors’ websites, which focus on sensitive work in military surveillance and security programs.

All files that the attackers sent, were created with Word 2016 and had both the English and Korean languages installed.

This analysis into the metadata by the researchers showed strong evidence that the malicious documents were created from a common root document.

These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system.

“Human beings are curious and flattered when we receive an interesting job offer from an interesting company,” Christiaan Beek, senior principal engineer and lead scientist at McAfee, said of the hacking campaign.

“If you were to receive a job offer for…a reporting position at an interesting company, wouldn’t you open it, too [after checking the email-headers of the source]?”

To further reach and engage their potential victims, the attackers are also using LinkedIn. This method has been proven successful in the past, as in the late 2018, a group of spies posing as employers on LinkedIn managed to hack into employees at two European aerospace and defense firms.