Lazarus LinkedIn Job Offer- IOC’s Available To Protect

Home/IOC's, Targeted Attacks/Lazarus LinkedIn Job Offer- IOC’s Available To Protect

Lazarus LinkedIn Job Offer- IOC’s Available To Protect

Lazarus Group who are known as APT38 enact themselves as a Job recruitment division for the US Defence Center. Now they are using LinkedIn and targeting the recipients profile by posting the fake job offers

Masterminds using LinkedIn’s private messaging option to send the fake crafted masqueraded job offers to trick the recipients.

Attackers are so intelligent, because they customized messages and portrayed it to look like a legitimate job offer. Due to which victims are trusting the attachment and enabling the hidden content inside

This is an organized and on-going campaign from January 2018 where researchers confirmed. Also they have targeted 14 different countries into a cycle of attacks including: United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.

Top of the trick is ” When the Victim opens the document it shows the GDPR compliance and it’s protected for Data Security and seeking the permission to enable the content”

The moment Victim’s enable the content in the file, that implants the Backdoor for the attackers and provides the quicker access

All time famous Mimikatz – French for cute cat [Mimikatz is capable of dumping account login information, including clear text passwords stored in system memory] is deployed in victim machines to collect all crypto wallet information or bank account details and leads to data exfilltration

The evidence also suggests that this is part of an ongoing campaign targeting organizations in over a dozen of countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks.

Flow of the attacks is briefed by the researchers as below;

The Resarchers already found releavant IOC’s which should be monitored if LinkedIn getting used in an official environment, it’s recommended to block the IOC’s in applicable security devices and EDR solutions in the organization

MD5cd0a391331c1d4268bd622080ba68bce
SHA-1da013027c7f534321c940f2047354359d7b32480
SHA-2567446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
Vhash6588cb76f4a67f61788876956642bd80
SSDEEP6144:iqeZW6uUGwGOMpsdmQsNW/74kGldaeoEISB:iqdlUvfMeETNCkkNt
File typeMS Word Document
File Name*7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6.bin
* BlockVerify Group Job Description[GDPR].doc

And other known IOC’s which were reported with Lazarus were – MD5:

•    0abdaebbdbd5e6507e6db15f628d6fd7

•    f5e0f57684e9da7ef96dd459b554fded

•    2963cd266e54bd136a966bf491507bbf

•    06cd99f0f9f152655469156059a8ea25

The attacks are not the first time LinkedIn has been caught up in international espionage. Western officials have repeatedly accused China of using fake LinkedIn accounts to recruit spies in other countries, and multiple hacking groups have been spotted using the business-networking site to profile their targets.

LinkedIn said it had identified and deleted the accounts used in the attacks. “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors,” said the company’s head of trust and safety, Paul Rockwell

As an individual we need to ensure any documents received through LinkedIn, we need to validate the reliability of the sender and scan the documents before enabling the contents of the file. We have a lot of open source tools which can helps us in validating the legitimacy of the file

Be Safe!! Stay Safe!! 

By | 2020-08-26T17:38:35+00:00 August 26th, 2020|IOC's, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment