A North Korean hacking group is believed to be behind a new malware campaign that uses fake jobs on LinkedIn to lure its victims.
The group posts fake jobs in the media, technology and defense industries under the guise of legitimate recruiters. They even impersonated the New York Times in one ad.
A threat intelligence company client (opens in a new tab) discovered that the campaign has been running since June 2022. He believes it is linked to another malware campaign originating in North Korea, run by the infamous Lazarus group known as “Operation Dream Job”, which breaks into systems belonging to cryptocurrency users.
Phishing for victims
For its part, Mandiant believes the new campaign comes from a different group than Lazarus and is unique in that the TouchMove, SideShow and TouchShift malware have never been seen used in the attacks before.
After the user responds to a job offer from LinkedIn, the hackers continue the process on WhatsApp, where they share a Word document containing dangerous macros that install Trojans from WordPress sites that hackers have compromised and use as their control center.
This Trojan, based on TightVNC and known as LidShift, in turn loads the Notepad++ malicious plug-in, which downloads the malware known as LidShot, which then installs the final payload on the device: the PlankWalk backdoor.
The hackers then use a malware dropper called TouchShift hidden in the Windows binary. This loads loads of additional malicious content, including TouchShot and TouchKey, a screenshot tool and keylogger respectively, as well as a call to the TouchMove loader.
It also loads another backdoor called SideShow that allows high-level control over the host system such as the ability to edit the registry, change firewall settings, and perform additional payloads.
Hackers also used the CloudBurst malware in companies that did not use a VPN, abusing the Microsoft Intune endpoint management service.
In addition, the hackers also exploited a zero-day vulnerability in the ASUS “Driver7.sys” driver, which is used by another payload called LightShow to patch kernel routines in endpoint protection software to prevent detection. This vulnerability has already been patched.