Microsoft Advanced Persistent Threat (APT) research group and Microsoft Threat Intelligence Center (MSTIC) are warning users that hackers are using vulnerable open source solutions and fake social media accounts to infiltrate organizations and install malware.
To trick IT and software staff, the threat actors are using fake job posts that entice people. In some ways, the hack preys on employment mobility in tech and business.
Microsoft APT says the phishing attack is being perpetrated by a group with links to the North Korea military. It is worth noting this is the same group that was behind the infamous Sony Pictures Entertainment hack of 2014.
Adding to the warning, the Microsoft Threat Intelligence Center (MSTIC) says the group uses Sumatra PDF Reader, KiTTY, muPDF/Subliminal Recording, TightVNC, and PuTTY to carry the malware.
In a blog post, MSTIC says these attacks have been ongoing since April.
The group – best known as Lazarus but also called ZINC by Microsoft – is known for spear-phishing campaigns. For example, Google Cloud Mandiant threat analysis has also been tracking such attacks since July.
“Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives,” MSTIC points out..
“ZINC targets employees of companies it's attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers over Twitter and LinkedIn.”
Targeting Social Media
Security teams within Microsoft's LinkedIn have seen the group create fake profiles on the business social network. The goal of these profiles is to mimic business recruiters for various sectors and pretend to be offering jobs.
Targets who interact with LinkedIn and other networks such as WhatsApp that the group uses are taken off those platforms. This is where links are provided loaded with malware. As well as LinkedIn and WhatsApp, the group has also been spotted on YouTube, Discord, Twitter, Telegram, and via emails.
LinkedIn's Threat Prevention and Defense team says it shut down the fake accounts:.
“Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.”
Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.