Microsoft warns of North Korean cyber gang posing as LinkedIn recruiters
Microsoft is cautioning people to be wary of a North Korean cyber gang that’s using LinkedIn for phishing and to distribute infected versions of open source software packages. The gang dubbed Zinc first establishes contact on LinkedIn and then moves the conversation to WhatsApp after they have gained your trust where they then distribute shellcode from the ZetaNile malware family.
The state-sponsored group has been active since 2009 and has, in the past, run full-scale phishing scams targeting media, defence entities, aerospace companies, and IT providers in the UK, US, India, and Russia. They are believed to be responsible for the 2014 attack on Sony Pictures in retribution for the comedy movie, The Interview that targeted their president.
The hacker’s LinkedIn campaign has been running since June and according to Microsoft, they pack the payload with commercial software implants like Themida and VMProtect to avoid detection. In other cases, they encrypt the payload with custom algorithms that are decrypted using a custom key in the DLL.
“By encoding the victim information in the parameters for common keywords like game type or bbs in the HTTP POSTs, these C2 communications can blend in with legitimate traffic,” the statement from Microsoft read.
The open source software that’s being distributed by the hackers include PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer. Once the victim has installed the software on their computer, the hackers use custom remote access tools like FoggyBrass and PhantomStar to execute their attacks.
Microsoft has noted that the motivation behind the attacks seems to be normal cyber espionage. The threat actors attempt to steal money, exfiltrate data, or disrupt the network.
Microsoft’s biggest worry is that by leveraging platforms such as LinkedIn and WhatsApp and also using a wide variety of popular software the hackers are well positioned to inflict a lot of damage to a lot of people.
"Due to the wide use of the platforms and software that ZINC utilises in this campaign, ZINC could pose a significant threat to individuals and organisations across multiple sectors and regions,” said Microsoft.
LinkedIn’s threat prevention and Defence system have been able to flag and stop Zinc from creating fake profiles and targeting individuals in the past, but as they continue to become more sophisticated it’s becoming important that end users are educated to avoid falling victims.
Microsoft has advised scanning for indicators of compromise (IOC) and traffic from certain IP addresses.