Lazarus attackers mimic job recruiters

Cyberattackers are impersonating a type of person who’s difficult to ignore: a recruiter saying that you’re just the right person for a new, impressive job.

At this year’s virtual ESET World conference, Jean-Ian Boutin, director of threat research at the AV provider ESET, reviewed a series of recent attempts to lure target organizations—specifically aerospace and defense companies—with bogus LinkedIn profiles and “better, high-paying” job - offers.

The impersonations are believed to be cyber-espionage efforts from the North Korea-linked hacker group, Lazarus. Lazarus cyberattackers have been suspected of sending malware since at least 2014. In 2020, McAfee discovered a series of malware-containing postings meant to lure defense-contractor targets into downloading a data-gathering implant. In February of this year, Qualys revealed how the cyber-criminal group has been targeting job-seekers with fake Lockheed Martin job offers.

In the cases presented by Boutin, the primary motivation from the Lazarus group appears to be the exfiltration of aerospace and defense data.

“They’re doing cyber-espionage in this field to actually try to close the technical gap that they might have in some of their technology, because they don’t have the means to acquire it,” Boutin said in a Q&A at ESET 2022 after his presentation.

Campaign season. Boutin detailed two new campaigns in his presentation, which was titled, “Worldwide Aerospace and Defense Contractors Under Attack by Lazarus”:

Sep. 2021: An attacker posing as an Amazon recruiter approached a defense-contractor employee in the Netherlands, according to Boutin’s report (and ESET’s telemetry information). An attached job application from the Amazon faker, in fact, contained a malicious remote template.

Jan. 2022: Using a LinkedIn profile to impersonate a job recruiter from BAE Systems, an attacker targeted a defense company in Turkey. The attack used an encrypted archive known as an RAR file to send the malicious components, and the downloader payload itself was hosted on GitHub—an intriguing choice, said Boutin. “The use of GitHub is interesting, because it just shows that the threat actor is trying to use all legitimate services and abuse them as much as they can to make their campaign as legitimate as they can be,” Boutin said during the presentation.

Appealing to the ego. A job opening offers an enticing window for attackers lately.

In May of this year, a team at eSentire witnessed a reversal of the ESET findings: A phony job applicant serving malware to the unsuspecting employer.

The endorphin rush of a compliment from a recruiter goes a long way and makes job-specific attacks especially successful, according to Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance.

“When somebody sends you an email or hits you up on LinkedIn and says, ‘Hey, I really like your résumé or your profile,’ you know, ‘I'm interested in talking to you,’ what’s the first emotion you feel? It’s a little ego boost, right?” Plaggemier explained to IT Brew.

Another effective aspect of the phishing strategy: Employees may not want to tell their employers that a security problem arose because they were looking for a new gig.

“If, as an employee, you were clicking on things you shouldn’t, and then, on top of that, were trying to apply for another job, reporting the security incident is something that you will think twice before doing,” Boutin said, during the ESET Q&A.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.