A cyberespionage campaign aimed at aerospace and defense sectors to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought. The use of job of employment ads and postings have the recent bait for unsuspecting victims.
The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involved a previously undiscovered spyware tool called Torisma to stealthily monitor its victims for continued exploitation. Tracked under the codename of "Operation North Star" by McAfee researchers, initial findings into the campaign in July revealed the use of social media sites, spear-phishing, and weaponized documents with fake job offers to trick employees working in the defense sector to gain a foothold on their organizations' networks.
The attacks have been attributed to infrastructure and TTP's (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra, an umbrella term used by the US government to describe all North Korean state-sponsored hacking groups. Microsoft has referred to this group as Zinc. Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. The US Federal Bureau of Investigation says that the Lazarus Group is a North Korean "state-sponsored hacking organization."
Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them over the last decade. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and a wide array of methods used when conducting an operation
The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons programs by perpetuating malicious attacks on US defense and aerospace contractors. While the initial analysis suggested the implants were intended to gather basic victim information so as to assess their value, the latest investigation into Operation North Star exhibits a "degree of technical innovation" designed to remain hidden on compromised systems.
Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy, an auction house, a printing company, and an IT training firm to host their command-and-control (C2) capabilities. "Using these domains to conduct C2 operations likely allowed them to bypass some organizations' security measures because most organizations do not block trusted websites," McAfee researchers Christiaan Beek and Ryan Sherstibitoff reported.
What is more, the first-stage implant embedded in the Word documents would go on to evaluate the victim system data (date, IP Address, User-Agent, etc.) by cross-checking with a predetermined list of target IP addresses to install a second implant called Tourism, all the while minimizing the risk of detection and discovery. This specialized monitoring implant is used to execute custom shellcode, in addition to actively monitoring for new drives added to the system as well as remote desktop connections. "This campaign was interesting in that there was a particular list of targets of interest, and that list was verified before the decision was made to send a second implant, either 32 or 64 bits, for further and in-depth monitoring," the researchers said. "Progress of the implants sent by the C2 was monitored and written in a log file that gave the adversary an overview of which victims were successfully infiltrated and could be monitored further."
During these difficult times of the pandemic and increased levels of unemployment, please be cautious of job offers and online recruiters. Working from home adds additional vulnerabilities for job hunters. Ensure that you are current with your security services and schedule automatic software updates.
Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941