A North Korean hacking group is believed to be behind a new malware campaign that uses fake job postings on LinkedIn to lure its victims.
The group posts bogus job openings in the media, technology and defense industries under the guise of legitimate recruiters. They even imitated the New York Times in one ad.
Threat intelligence agency Mandiant (opens in new tab) found out that the campaign has been going on since June 2022. It believes it is related to another malware campaign originating from North Korea, carried out by the infamous Lazarus group known as “Operation Dream Job”, which breaches systems of crypto users.
Phishing for victims
For its part, Mandiant believes the new campaign is from a separate group than Lazarus, and is unique in that the TouchMove, SideShow, and TouchShift malware used in the attacks has never been seen before.
After a user responds to LinkedIn’s job posting, the hackers continue the process on WhatsApp, where they share a Word document containing dangerous macros, which install Trojans from WordPress sites that the hackers have cracked and use as their control center.
This Trojan, based on TightVNC and known as LidShift, in turn uploads a malicious Notepad++ plugin that downloads malware, known as LidShot, which then deploys the latest payload to the device – the PlankWalk backdoor.
After this, the hackers use a malware dropper called TouchShift, hidden in a Windows binary file. This loads a plethora of additional malicious content, including TouchShot and TouchKey, a screenshot utility and keylogger respectively, as well as a loader call TouchMove.
It also loads another backdoor called SideShow, which allows high-level control over the host’s system, such as the ability to edit the registry, change firewall settings, and run additional payloads.
The hackers also used the CloudBurst malware on companies that did not use a VPN by exploiting the endpoint management service Microsoft Intune.
In addition, the hackers also exploited a zero-day flaw in the ASUS driver “Driver7.sys”, which is used by another payload called LightShow to patch kernel routines in Endpoint security software to avoid detection. This bug has since been patched.