Cybercriminals from North Korea have been observed posing as Samsung recruiters and sending fake job offers on emails to lure victims. The targets are employees from South Korean security firms selling anti-malware software.
Tech analysis of the campaign
According to Google, the emails included a PDF that pretends to be a job description for a role at Samsung. However, the attached PDFs files were malformed.
- The malicious PDFs can not be opened in a standard PDF reader. When the recipients complain that they are unable to open the job offer archive, the attackers offer a link to a Secure PDF Reader app users could install to open the file.
- However, this file was a modified version of PDFTron that can install a backdoor on the victims’ systems.
- The so-called Secure PDF Reader attempts to decode an embedded Portable Executable (PE) and PDF from the supplied PDF. The PE was XOR encoded with a single-byte key and dropped an implant.
- The implant leverages a genuine but compromised South Korean website for C2. It allows the attackers to perform various functions such as executing arbitrary commands and uploading files.
Attribution
The Google security team has associated the attacks with the same team of North Korean hackers (Lazarus APT aka Zinc) that previously targeted security researchers on Twitter and other social networks.
Conclusion
Zinc group is attempting new tricks, posing as recruiters to target the software supply chain of security firms for nefarious purposes. This indicates that the members of the group are putting more effort into upgrading their social engineering tactics and may continue to do so in the future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/37ce_shutterstock_639700315.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4b01_shutterstock_2034578255.jpg)
