Cyberwarfare / Nation-State Attacks
McAfee: Operation North Star Used Fake Job Offers to Plant Malware
Hackers with suspected ties to North Korea targeted U.S. aerospace and defense firms earlier this year with fake job offer emails sent to employees, according to an analysis released by security firm McAfee.
See Also: Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response
This phishing campaign, which McAfee calls Operation North Star, attempted to use these messages to plant malware in employees’ devices, which could help attackers gain a foothold into the larger network and steal data, according to the report.
While the McAfee researchers were not able to recover the majority of the phishing emails used during this campaign, the report notes that Operation North Star appears to have ties to the well-known North Korean hacking group called Hidden Cobra, which other researchers refer to as Lazarus (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Specifically, McAfee noticed similarities between phishing emails that targeted similar companies in 2017, as well as India’s defense industry in 2019, and those used against U.S. defense and aerospace firms this year. In addition, the researchers noted that some of the domains used in Operation North Star had previously been utilized by Hidden Cobra in other campaigns.
“From our analysis, this appears a continuation of the 2019 campaign, given numerous similarities observed,” according to the McAfee report. “These similarities are present in both the Visual Basic code used to execute the implant and some of the core functionality that exists between the 2019 and 2020 implants.”
Operation North Star started about March 31 and appears to have stopped by May 18, according to McAfee. Since not all the phishing emails used were found, McAfee was unable to determine which specific firms and employees were targeted by the hackers.
The McAfee researchers did find that the hackers were seeking to infect the devices of employees who held specific job titles. “The victimology of these campaigns is not clear at this time, however based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents,” the report notes.
The Operation North Star campaign is built around spear-phishing emails that target specific employees and appear to contain information about potential job offers, according to the report.
The emails contain a malicious attached document that if opened, starts to the initial attack. The attached file will first attempt to download a Microsoft Word template that contains macros that will then install the malware on the device. The use of the template is a way to avoid security tools and software, according to the McAfee.
The emails themselves appear to come from job recruiters and advertise for positions such as:
- F-22 Fighter Jet Program
- Defense, Space and Security (DSS)
- Photovoltaics for space solar cells
- Aeronautics Integrated Fighter Group
- Military aircraft modernization programs
The messages are specifically designed to lure victims to open the initial attached file, according to the report.
When the malicious templates are opened, Visual Basic macro code will then load a Dynamic Link Library (DLL) implant onto the victim’s device, which then downloads the malware. Once installed, the malware will attempt to contact a command-and-control server, which appears to be based in Europe, according to McAfee.
The analysis did not name the specific malware, but notes that it’s designed to maintain persistence within the device, act as a way to move deeper into the targeted network and gather data, according to the report.
Since McAfee couldn’t capture all the phishing emails used in this campaign, and since the command-and-control server has now been disconnected, the researchers were not sure what the hackers’ ultimate goal was or what type of data they might have been interested in, the report notes.
Recent North Korea Activity
Over the past month, Hidden Cobra or Lazarus have made several headlines with researchers releasing numerous reports about the group’s activities. On Tuesday, security firm Kaspersky released a report that noted these North Korean-linked threat actors have expanded into more ransomware operations, including one detected in Europe (see: Lazarus Group Reportedly Now Wielding Ransomware).
Other reports have linked this hacking group to a new type of malware framework that has been deployed across several countries, as well as tied some of their activities to Magecart-like attacks that are designed to skim payment card information from online checkout sites.