The infamous North Korean threat actor, Lazarus Group, has been observed engaging in a highly sophisticated targeted malware attack that involves compromising popular open source software and running spear phishing campaigns.
As a result, it successfully compromised "numerous" organizations in the media, defense and aerospace industries, as well as in the IT services industries, a Microsoft report concluded (opens in a new tab).
The company claims that Lazarus (or ZINC, as it calls the group) compromised PuTTY, among other open source applications, with malicious code that installs spyware. PuTTY is a free and open source terminal emulator, serial console, and network file transfer application.
Zeta Nile Facility
But simply compromising open source software doesn't guarantee access to the target organization's endpoints—people still need to download and run the software. This is where the harpoon comes in. By launching a highly targeted social engineering attack on LinkedIn, threat actors force certain people who work at targeted companies to download and run the app. Apparently, members of the group assume the identity of recruiters on LinkedIn, offering people lucrative job opportunities.
The app has been specially designed to avoid detection. Only when the app connects to a specific IP address and logs in with a special set of login credentials, does the app launch the ZetaNile spyware malware.
In addition to PuTTY, Lazarus managed to compromise KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording.
"Actors have successfully compromised numerous organizations since June 2022," members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in a post. "Due to the widespread use of the platforms and software ZINC is using in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple industries and regions."
Lazarus is no stranger to fake job offers. After all, the group has done the same thing to cryptocurrency developers and artists, posing as recruiters for Crypto.com or Coinbase.