North Korea’s Lazarus hacker group, aka ZINC, was found using weaponized open-source software to spy on cybersecurity staff at various US, UK, India and Russian organizations. The group targeted organizations related to the defense, aerospace, IT, and media sectors. These attacks pose a serious threat as the confidential data accessed by the hackers may assist them in running social engineering campaigns.
Researchers at Microsoft security threat intelligence (MSTIC) and LinkedIn threat prevention and defense published significant findings in a blog that unearthed the use of legitimate open-source software for cybercrime. Zinc has been using various software for espionage, data theft, network destruction and financial purposes since June 2022.
How the campaign works
In one tactic, the scammers pose as employers or job recruiters on platforms such as LinkedIn and connect with an employee to make bogus job-related conversations with them. They then move the conversation to WhatsApp, where they send legitimate open-source software laced with malicious payloads. These malicious payloads are programmed to work in any desired manner the criminal seeks and may contain malware that can hack the device and transfer stolen data.
Software used for cyber espionage
MSTIC found that Zinc was using software to further its attack on job seekers. The unsuspecting candidates were asked to download the infected software. Some software were TightVNC, PuTTY, Sumatra PDF Reader, MuPDF, subliminal Recording software and KiTTY. These are legitimate, free, open-source software that renders various functionality used by Zinc instead of launching cyber-attacks.
As per the report by news website Ars Technica, the hacker collective used the malware ‘ZetaNile’ that was installed when connected to a targeted or selected IP address. This allowed the attacker to attack specific individuals. Other users, who downloaded the software, may escape as the attackers did not target them.
The successful execution of the attacks using the malware depends upon using the same login credentials shared by the cyber-attacker. This limits the number of people who might get impacted by the malware.
According to the research, the group successfully exfiltrated data from the systems of several organizations in the past few months. Since the culprits are yet to be caught, experts have warned job seekers and organizations to pay close attention to scammers posing as employers and forwarding laced malicious payloads in the form of open-source software downloads or pdf documents.