It’s not a new occurrence; hackers using fake social media accounts and open source software for no-good reasons. Lately, however, Microsoft is reporting that these methods are being used to dupe IT support staff and software engineers by luring them in with bogus job offers. If they fall for them, they ultimately lead to malware attacks.
A hacker group associated with North Korea’s defense forces has been found utilizing LinkedIn recruitment functionality as bait and trojanized open-source apps to hook tech industry employees, according to Microsoft.
The Microsoft Threat Intelligence Center (MSTIC) has observed the group using the muPDF/Subliminal Recording software installer, Sumatra PDF Reader, TightVNC, KiTTY, and PuTTY to execute attacks that have been ongoing since late April. The group has been targeting employees in IT services, aerospace, defense, and media in Russia, India, the UK, and the U.S. The group is said to be responsible for the 2014 hacking attacks on Sony Pictures Entertainment that led to tension between North Korea and the U.S. over an about-to-be released movie that portrayed the North Korean leader in an unfavorable light.
Tracked by Microsoft as ZINC, but also referred to as Lazarus, Google Cloud’s Mandiant threat analysts observed the group conducting spear phishing attacks in the media and tech spheres with fake job offers using WhatsApp to spread infected versions of PuTTY. Once the initial trust was built, the attackers switch over to WhatsApp as its primary method of communication.
ZINC is reported to target workers inside companies that it’s trying to infiltrate and attempts to coerce these people into opening infected documents or clicking benign programs that contain malicious code. Security researchers at LinkedIn and Twitter have also been targeted.
Microsoft goes on to note that the group engages in wrecking networks, hacking banking systems and crypto exchanges, data theft, and espionage. Security analysts at LinkedIn also observed these hackers creating bogus profiles to impersonate recruiters from companies in the media, entertainment, defense, and technology sectors.
Targets were diverted off LinkedIn to WhatsApp in order for them to spread the malware. U.S. authorities have warned companies to be cautious of IT contractors applying for developer and support roles. LinkedIn's Defense and Threat Prevention team has already begun closing the fake accounts, but no doubt there are plenty more of these out there. So have your guard up!