The infamous North Korean cybercriminal, Lazarus Group, has been observed engaging in a highly sophisticated, targeted malware attack that targets popular open source software and conducts spear phishing campaigns.
As a result, he managed to discredit “numerous” organizations from the media, defense and aviation industries, as well as IT services, report (opens in a new tab) from Microsoft ended.
The company claims that Lazarus (or ZINC as it calls the group) has hacked PuTTY, including open source applications, with malicious code that installs spyware. PuTTY is a free and open source terminal emulator, serial console, and network file transfer application.
But simply compromising open source software does not guarantee access to the target organization’s endpoints – people still have to download and run the software. This is where phishing comes in. By engaging in a highly targeted social engineering attack on LinkedIn, cyber criminals encourage certain people working at target companies to download and run the application. Reportedly, members of the group assume the identity of recruiters on LinkedIn, offering people lucrative job opportunities.
The application has been specially adapted to avoid detection. Only when the application connects to the specified IP address and logs in with a special set of login credentials, the application will initiate the ZetaNile spyware.
In addition to PuTTY, Lazarus managed to compromise KiTTY, TightVNC, Sumatra PDF Reader and muPDF / Subliminal Recording.
“Actors have successfully broken into many organizations since June 2022,” members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in the post. “Due to the extensive use of the platforms and software that ZINC uses in this campaign, ZINC can pose a serious threat to individuals and organizations in many sectors and regions.”
Lazarus is no stranger to false attacks on job offers. After all, the group is doing the same for cryptocurrency makers and artists, posing as recruiters like Crypto.com and Coinbase.