Pune Media
Leading the news curation and publishing for the people of Pune

North Korean Trojanizing Open Source Software

Lazarus Group Uses Social Engineering to Manipulate Victims Into Downloading Malware

Mihir Bagwe (MihirBagwe) •
September 30, 2022    

The “Monument to Party Founding” Pyongyang, North Korea. (Image:
Peter Anta / Pixabay)

North Korea’s infamous Lazarus hacking group is using social engineering tactics to manipulate victims into downloading trojanized open source utilities in a bid to spy on the technology, defense and entertainment sectors worldwide.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

That warning comes from Microsoft, which says the threat prevention team for its LinkedIn professional social network detected North Korean hackers creating fake profiles for recruiters. The computing giant tracks the Lazarus Group as Zinc.

The campaign primarily targets engineers and technical support professionals working at media and information technology companies located in the United Kingdom, India, and the United States. The malicious payload is the ZetaNile implant, also known as Blindingcan.

Whenever a Pyongyang hacker establishes some trust with a victim, the hacker attempts to move the conversation to WhatsApp, where it delivers malware, including corrupted versions of secure shell protocol utilities PuTTY and KiTTY, as compressed ZIP archives or ISO files. Threat intelligence firm Mandiant has also spotted North Korean hackers luring would-be job recruits into downloading PuTTY embedded into ISO files. As Mandiant notes, from Windows 10 onwards, double-clicking an ISO file automatically mounts it as a virtual disk drive.

The Cybersecurity and Infrastructure Security Agency and FBI has warned about the Blindingcan backbdoor, which acts as a fully functional remote access Trojan. The malware is capable of retrieving information, manipulating processes, retrieving and modifying files. It has also been developed into a newer variant called CopperHedge.

Lazarus is infamous for using social engineering tactics as initial access vector and has previously used fake LinkedIn job postings to lure users into downloading malicious payloads (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).

The trojanized applications also include document readers Sumatra PDF and muPDF/Subliminal Recording. Starting earlier this month, hackers also began sending out trojanized versions of TightVNC Viewer, the open source remote desktop software.The malicious TightVNC Viewer has a pre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects certain remote host option in the list.

Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.

Aggregated From –

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More