Lazarus Group who are known as APT38 enact themselves as a Job recruitment division for the US Defence Center. Now they are using LinkedIn and targeting the recipients profile by posting the fake job offers
Masterminds using LinkedIn’s private messaging option to send the fake crafted masqueraded job offers to trick the recipients.
Attackers are so intelligent, because they customized messages and portrayed it to look like a legitimate job offer. Due to which victims are trusting the attachment and enabling the hidden content inside
This is an organized and on-going campaign from January 2018 where researchers confirmed. Also they have targeted 14 different countries into a cycle of attacks including: United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.
Top of the trick is ” When the Victim opens the document it shows the GDPR compliance and it’s protected for Data Security and seeking the permission to enable the content”
The moment Victim’s enable the content in the file, that implants the Backdoor for the attackers and provides the quicker access
All time famous Mimikatz – French for cute cat [Mimikatz is capable of dumping account login information, including clear text passwords stored in system memory] is deployed in victim machines to collect all crypto wallet information or bank account details and leads to data exfilltration
The evidence also suggests that this is part of an ongoing campaign targeting organizations in over a dozen of countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks.
Flow of the attacks is briefed by the researchers as below;
The Resarchers already found releavant IOC’s which should be monitored if LinkedIn getting used in an official environment, it’s recommended to block the IOC’s in applicable security devices and EDR solutions in the organization
| MD5 | cd0a391331c1d4268bd622080ba68bce |
| SHA-1 | da013027c7f534321c940f2047354359d7b32480 |
| SHA-256 | 7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6 |
| Vhash | 6588cb76f4a67f61788876956642bd80 |
| SSDEEP | 6144:iqeZW6uUGwGOMpsdmQsNW/74kGldaeoEISB:iqdlUvfMeETNCkkNt |
| File type | MS Word Document |
| File Name | *7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6.bin * BlockVerify Group Job Description[GDPR].doc |
And other known IOC’s which were reported with Lazarus were – MD5:
• 0abdaebbdbd5e6507e6db15f628d6fd7
• f5e0f57684e9da7ef96dd459b554fded
• 2963cd266e54bd136a966bf491507bbf
• 06cd99f0f9f152655469156059a8ea25
The attacks are not the first time LinkedIn has been caught up in international espionage. Western officials have repeatedly accused China of using fake LinkedIn accounts to recruit spies in other countries, and multiple hacking groups have been spotted using the business-networking site to profile their targets.
LinkedIn said it had identified and deleted the accounts used in the attacks. “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors,” said the company’s head of trust and safety, Paul Rockwell
As an individual we need to ensure any documents received through LinkedIn, we need to validate the reliability of the sender and scan the documents before enabling the contents of the file. We have a lot of open source tools which can helps us in validating the legitimacy of the file
Be Safe!! Stay Safe!!
Leave A Comment