A group of North Korean hackers is believed to be behind a new malware campaign that uses fake job postings on LinkedIn to lure its victims.
The group posts bogus jobs in the media, technology, and advocacy sectors under the guise of legitimate recruiters. They even impersonated The New York Times in an advertisement.
Threat intelligence firm Mandiant (opens in a new tab) has discovered that the campaign has been running since June 2022. It believes it is linked to another malware campaign that originated in North Korea, led by the infamous and notorious Lazarus group, known as "Operation Dream Job". " that violates systems belonging to crypto users.
Phishing for victims
Mandiant, for its part, believes the new campaign comes from a group separate from Lazarus, and is unique in that TouchMove, SideShow, and TouchShift malware have never been seen used in attacks before.
After a user replies to the LinkedIn job posting, the hackers continue the process on WhatsApp, where they share a Word document containing dangerous macros, which install Trojans from WordPress sites hackers have hacked and use. as a control center.
This Trojan, based on TightVNC and known as LidShift, in turn downloads a malicious Notepad++ plugin that downloads malware known as LidShot, which then deploys the final payload to the device: the PlankWalk stealth door.
After that, the hackers use a malware dropper called TouchShift that is hidden in a Windows binary file. This loads a lot of additional malicious content, including TouchShot and TouchKey, a screenshot utility and keylogger respectively, as well as a payload call TouchMove.
It also loads another backdoor called SideShow, which allows high-level control over the host system, such as the ability to edit the registry, change firewall settings, and run additional payloads.
Hackers also used CloudBurst malware on companies that did not use VPNs, abusing the Microsoft Intune endpoint management service.
In addition, the hackers also exploited a zero-day flaw in the ASUS driver "Driver7.sys", which is used by another payload called LightShow to patch kernel routines in endpoint protection software to avoid detection. This bug has since been fixed.