Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Meta recruiter impersonation. Show all posts

Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company

 

The Lazarus Group, an entity linked to North Korea, has been identified in a cyber espionage operation aimed at an aerospace firm based in Spain. The scheme involved impersonating a Meta recruiter on LinkedIn to approach employees of the targeted company. 

These individuals were then tricked into opening a malicious file that masqueraded as a coding challenge or quiz. This attack is part of a broader spear-phishing campaign known as Operation Dream Job. Its goal is to entice employees from potential strategic targets with enticing job opportunities, thereby initiating the infection process.

In a recent technical report shared with The Hacker News, ESET security researcher Peter Kálnai shed light on the attack. In a previous incident this March, the Slovak cybersecurity company had outlined an attack focused on Linux users, where fake HSBC job offers were used to deploy a backdoor named SimplexTea.

The latest intrusion, designed for Windows systems, aims to install an implant referred to as LightlessCan. Kálnai emphasized the significance of this new payload, highlighting its sophistication and representing a substantial advancement compared to its predecessor, BLINDINGCAN. BLINDINGCAN, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts.

The attack unfolded as follows: the target received a message on LinkedIn from a counterfeit recruiter claiming to represent Meta Platforms. This recruiter sent two coding challenges as part of the supposed hiring process, ultimately convincing the victim to execute the test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.

ESET pointed out that these ISO files contained malicious binaries (Quiz1.exe and Quiz2.exe), which were downloaded and executed on a device provided by the company. This resulted in the system compromising itself and the corporate network being breached.

This attack sets the stage for an HTTP(S) downloader known as NickelLoader. This allows the attackers to deploy any desired program into the victim's computer memory, including the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as miniBlindingCan (aka AIRDRY.V2).

LightlessCan boasts support for up to 68 distinct commands, with 43 of them currently functional in its present version. Meanwhile, miniBlindingCan primarily focuses on transmitting system information and downloading files from a remote server.

One noteworthy feature of this campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any machine other than the intended victim's.

Kálnai highlighted that "LightlessCan emulates the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions." This strategic shift bolsters stealthiness, making it more challenging to detect and analyze the attacker's activities.

In recent months, the Lazarus Group and other threat clusters originating from North Korea have been notably active. They have conducted attacks spanning various sectors, including manufacturing and real estate in India, telecoms companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the U.S., as per Kaspersky.