North Korean based threat actors are believed to be actively seeking security researchers and media outlets with fake job proposals aimed at U.S. and European victims.
Three different families of malware are deployed into the target’s environment, and social engineering techniques are used to convince their targets to engage in a WhatsApp conversation. Through this channel, a C++ malware payload called “PlankWalk” is dropped to gain access to the target’s corporate network.
More About the Campaign
Mandiant has been tracking the particular campaign since June 2022, the observed activity overlaps with Operation Dream Job, attributed to the North Korean cluster known as Lazarus group.
In June 2022, the cybersecurity team began to continuously monitor the campaign and concluded that all these activities have been ongoing since then.
According to reports, the hackers approached targets through LinkedIn posing as recruiters. In order to continue the recruitment process, they sent a Word document containing malicious macros via WhatsApp. Their Word documents are altered to match the job descriptions they are promoting to their target audiences.
Remote template injection is performed by the macros in the Word document. Using the compromised WordPress websites as a C&C (command and control center), the attacker downloads a malicious version of TightVNC using remote template injection.
As CSN reports, this customized version of TightVNC is referred to as LidShift. An encrypted DLL will be loaded into the system’s memory via reflective DLL injection as soon as the program has been executed. Upon loading this file, the compromised system will be enumerated by a malware downloader named LidShot. This malware downloader will then deploy a malware boot loader that will establish a foothold on the device that is compromised.
During the post-exploitation phase of the attack, the North Korean hackers use a custom malware dropper called TouchShift, which mimics the behavior of a legitimate Windows binary.
The tools that TouchShift loads include:
- TouchShot: A screenshot utility
- TouchKey: A keylogger
- HookShot: A tunneller
- TouchMove: A new loader
- SideShow: A new backdoor
There are 49 commands available in the new custom backdoor SideShow, which is the most interesting of the bunch. On the compromised system, the APT can perform actions such as:
- Arbitrary code execution
- Modifying the registry
- Manipulating the firewall settings
- Add new scheduled tasks
- Execution of additional payloads
Moreover, using the PowerShell scripts, threat actors have been also tracked deploying the “CloudBurst” malware aimed at organizations without VPNs.
Additionally, this tool masquerades itself as a legitimate Windows file, namely “mscoree.dll,” and has the function of enumerating the system.
Furthermore, Mandiant’s analysts discovered suspicious drivers in the log files of compromised systems, as well as an unusual DLL file (“_SB_SMBUS_SDK.dll”) when analyzing the logs.
Mitigations
Below there are all the recommendations to be kept in mind:
- Azure AD privileged access accounts should be limited to cloud-only accounts.
- Strengthen the measures of multi-factor authentication by enforcing them.
- There is a strong recommendation that organizations consider using a PIM solution to manage their information.
- CAPs should be used by organizations to restrict Azure administrative functions to only be available to compliant and registered devices in Azure Active Directory.
- Organizations should implement Azure Identity Protection.
- Multi Admin Approval should be implemented by organizations utilizing Intune in order to prevent unauthorized changes.
- Make sure to block Office Macros.
- Must disable Disk Image Auto-Mount
- In order to assist security engineers and investigators in detecting malicious activities, PowerShell logging should be increased.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.