Looking For A New Job?

[paserbyp]

Looking to work for Meta? Make sure that job offer is legit. North Korean hackers have been spotted posing as recruiters for Facebook parent company Meta to trick users into loading malware on their computers.

The findings come from antivirus provider ESET, which recently investigated a 2022 breach at an unnamed Spanish aerospace company. ESET traced the intrusion to a hacker-controlled account on LinkedIn that was impersonating a recruiter for Meta (Details: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company).

The suspected North Korean hackers contacted multiple employees at the Spanish aerospace company using LinkedIn Messaging. “Masquerading as a Meta recruiter, the attacker used a job offer lure to attract the target’s attention and trust,” ESET says.

The "recruiter" sent prospective employees coding challenges, or quizzes, so they could demonstrate their programming skills. But in reality, the coding challenges were malicious software packages and included a downloader designed to “deploy any desired program into the memory of the victim’s computer,” ESET says.

Once the downloader was installed, the hacker delivered two different remote-access Trojans, which can hijack access to a PC. One of those Trojans was previously used in campaigns from the notorious North Korean group Lazarus, perhaps best known for their cryptocurrency heists and the 2014 Sony Pictures hack.

ESET also notes that employees who fell for the scheme were using “corporate computers for personal purposes." As a result, the North Korean hackers had easy access to the Spanish aerospace company’s network. “The final goal of the attack was cyberespionage,” possibly to further North Korea’s own aerospace and nuclear weapons ambitions.

During the intrusion, the North Korean hackers also deployed a newly discovered remote-access Trojan, dubbed “LightlessCan,” which was found to be fairly sophisticated. For example, it can only be decrypted for activation on the intended victim’s PC. It’ll also mimic “the functionalities of a wide range of native Windows commands,” to hide itself from detection.

The remote-access Trojan shows Lazarus has found ways to further prevent antivirus providers from detecting their activities. “The attackers can now significantly limit the execution traces of their favorite Windows command line programs that are heavily used in their post-compromise activity,” ESET added. “This maneuver has far-reaching implications, impacting the effectiveness of both real-time monitoring solutions and of post-mortem digital forensic tools.”

Comments

[voblya_river]

The "recruiter" sent prospective employees coding challenges, or quizzes, so they could demonstrate their programming skills. But in reality, the coding challenges were malicious software packages and included a downloader designed to “deploy any desired program into the memory of the victim’s computer,” ESET says.

It looks like upgrade of the old post-soviet fraud when sharpers collect information, bank card credential etc. under cover of the attractive position description.
Then they use the received credentials to take a loan from the banks.

I think the soviet commie provide a lot of social engineering practices to the Kim jong Un suckers hackers.

[paserbyp]

Indeed, post-soviet fraud was designed by former KGB employee which doing something what they did under KGB umbrella. So, North Korea spy just doing the same… The same school!