North Korean hackers offer fake jobs to distribute malware

Lazarus, a state-sponsored hacking group based in North Korea, is now using open-source software and creating fake jobs to spread malware, Microsoft says.

The well-known group of hackers target many major industry sectors such as technology, media entertainment and defense and use many different types of software to carry out these attacks.

An image describing how the hacking group ZINC works.

Next time you get a message on LinkedIn, be careful. Microsoft warns that the North Korea-based threat group is actively using Trojan-infected open-source software to target industry experts. Microsoft has determined that these social engineering attacks began in late April and continued through at least mid-September.

Lazarus, also known as ZINC, Labyrinth Chollima, and Black Artemis, is a state-sponsored military hacking group from North Korea. It is said to have been active since at least 2009 and since then has been responsible for a variety of major attacks including phishing, ransomware campaigns and more.

The group created fake LinkedIn recruiter profiles and approached suitable candidates with job vacancies at reputable, existing companies. “Target audiences received an outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies,” Microsoft said.

After convincing the victims to move the conversation from LinkedIn to WhatsApp, which offers encrypted communication, the hackers went to the next step. During the WhatsApp conversation, victims received infected software that allowed Lazarus to install malware on their systems.

The hackers’ end goal was to steal sensitive information or gain access to valuable networks. Aside from the malware — found in programs like PuTTY, KiTTY, TightVNC, muPDF/Subliminal Recording, and Sumatra PDF Reader — the attacks had also matured at a social level, with LinkedIn profiles and companies chosen to match the victim’s profession.

A depiction of a hacker using code to break into a system.
Getty Images

As noted by Bleeping Computer, ZINC has also carried out similar attacks, using fake social media personas to spread malware. It used to primarily target security researchers; This time the attacks have a wider range.

These attacks appear to be a continuation of Operation Dream Job. Active since 2020, the campaign focused on targets from the defense and aerospace sectors in the US and lured them with interesting job offers, all with the aim of engaging in cyberespionage. Lazarus has also been spotted attacking cryptocurrency workers and crypto exchanges in the past.

How can you protect yourself from these attacks? Try to keep your LinkedIn conversations on the platform whenever possible. Don’t accept files from people you don’t know and make sure you’re using good antivirus software. Finally, don’t be afraid to contact the company and verify that the person trying to send you files actually works there.

Editor’s Recommendations