According to Symantec’s threat intel team, the North Korean Lazarus hacking group was caught spying on chemical sector companies.
Korean hackers have been involved in a number of highly profitable cryptocurrency theft campaigns. The latest evidence suggests the hacking group in a recent espionage campaign against South Korean targets to file hashes, file names, and tools previously used by Lazarus.
The researchers at Symantec said the spy operation is possibly a continuation of the state-sponsored snoops’ Operation Dream Job, which started in August 2020. The hacking group used phony job offers to lure victims into clicking links or opening malicious attachments. This enabled the criminals to install spyware on the victims’ computers.
Dream Job campaigns targeting defense, government, and engineering organizations in 2020 and 2021 are documented by ClearSky and AT&T security researchers. A similar scam targeting Lockheed Martin job applicants was documented earlier this year by Qualys security researchers
The attack is triggered after the victim receives a malicious HTML file, this is somehow copied to a DLL file called scskapplink.dll and used to compromise an application on the system.
The researchers said, “The DLL file gets injected into INISAFE Web EX Client, which is legitimate system management software. The scskapplink.dll file is typically a signed Trojanized tool with malicious exports added,”
Further, the researchers explained, the hacking group used the following developer signatures: DOCTER USA, INC and “A” MEDICAL OFFICE, PLLC.
The bad actors also use Windows Management Instrumentation (WMI) to move laterally across the network and inject into the MagicLine application by DreamSecurity on other computers.
The findings suggest the hackers stole credentials from the SAM and SYSTEM registry hive and then spent several hours running unknown shellcode using a loader called final.cpl. According to Symantec, this was likely to collect the dumped system hives.
In some cases, the hacking group has installed a BAT file to gain persistence in the network and deployed post-compromise tools, such as SiteShoter. The tool is known to take screenshots of web pages viewed on the infected machine.
Symantec mentioned, “They were also seen using an IP logging tool (IP Logger), a protocol used to turn computers on remotely (WakeOnLAN), a file and directory copier (FastCopy), and the File Transfer Protocol (FTP) executed under the MagicLine process.”
Rarible NFT Marketplace Vulnerability Can Lead to Crypto Wallet Hacking
Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation
Wind Turbine Giant Nordex Hit by Cyber Attack