26 C
Sunday, March 3, 2024
HomeCyber AttacksNew malware via job offers on LinkedIn

New malware via job offers on LinkedIn


Related stories

Remote Access Trojan (RAT): Their Types, Mitigation & Removal

Remote Access Trojan (RAT): Their Types, Mitigation & Removal Post...

Chinese Hackers Exploited Barracuda’s ESG Appliances

Chinese Hackers Exploited Barracuda's ESG Appliances Barracuda has revealed that...

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government Agencies

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government...

Most Important Cyber Security Tips 2023

Most Important Cyber Security Tips 2023 Important Cyber Security Security...

Every Business Owner 10 Essential Cybersecurity Facts Must Know

Every Business Owner 10 Essential Cybersecurity Facts Must Know In...

New malware via job offers on LinkedIn. The attackers use social engineering to convince their targets to engage over WhatsApp, where they drop the malware payload “PlankWalk,” a C++ backdoor that helps them establish a foothold in the target’s corporate environment.

According to Mandiant, which has been tracking the particular campaign since June 2022, the observed activity overlaps with “Operation Dream Job,” attributed to the North Korean cluster known as the “Lazarus group.”

However, Mandiant observed enough differences in the employed tools, infrastructure, and TTPs (tactics, techniques, and procedures) to attribute this campaign to a separate group they track as “UNC2970.”

Furthermore, the attackers use previously unseen malware named ‘TOUCHMOVE’, ‘SIDESHOW’, and ‘TOUCHSHIFT,’ which have not been attributed to any known threat group.

Mandiant says the particular group has previously targeted tech firms, media groups, and entities in the defense industry. Its latest campaign shows it has evolved its targeting scope and adapted its capabilities.

Phishing to gain a foothold
The hackers start their attack by approaching targets over LinkedIn, posing as job recruiters. Ultimately, they shifted to WhatsApp to continue the “recruitment” process, sharing a Word document embedded with malicious macros.

Mandiant says that in some cases, these Word documents are stylized to fit job descriptions that they are promoting to targets. For example, one of the lures shared by Mandiant impersonates the New York Times, as shown below.

Lure document sent to targets (Mandiant)

The Word document’s macros perform remote-template injection to fetch a trojanized version of TightVNC from compromised WordPress sites that serve as the attacker’s command and control servers. 

Mandiant tracks this custom-made version of TightVNC as “LidShift.” Upon execution, it uses reflective DLL injection to load an encrypted DLL (trojanized Notepad++ plugin) into the system’s memory.

The loaded file is a malware downloader named “LidShot,” which performs system enumeration and deploys the final foothold-establishing payload on the breached device, “PlankWalk.”

Disguising as Windows files

During the post-exploitation phase, the North Korean hackers use a new, custom malware dropper named “TouchShift,” which disguises itself as a legitimate Windows binary (mscoree.dll or netplwix.dll).

TouchShift then loads another screenshot utility called “TouchShot,” a keylogger named “TouchKey,” a tunneller named “HookShot,” a new loader named “TouchMove,” and a new backdoor named “SideShow.”

TouchShift loading payload in memory (Mandiant)

The most interesting of the bunch is the new custom backdoor SideShow, which supports a total of 49 commands. These commands enable an attacker to perform arbitrary code execution on the compromised device, modify the registry, manipulate the firewall settings, add new scheduled tasks, and execute additional payloads.

In some cases where the targeted organizations didn’t use a VPN, the threat actors were observed abusing Microsoft Intune to deploy the “CloudBurst” malware using PowerShell scripts.

That tool also disguises itself as a legitimate Windows file, more specifically, “mscoree.dll,” and its role is to perform system enumeration.

Disabling EDR tools via zero-day

A second report published by Mandiant today focuses on the “bring your own vulnerable driver” (BYOVD) tactic followed by UNC2970 in the latest campaign.

Upon examining the logs on compromised systems, Mandiant’s analysts found suspicious drivers and an odd DLL file (“_SB_SMBUS_SDK.dll”).

Upon further investigation, the researchers discovered these files had been created by another file named “Share.DAT,” an in-memory dropper tracked as “LightShift.”

The dropper loads an obfuscated payload called “LightShow,” which leverages the vulnerable driver to perform arbitrary read and write operations on the kernel memory.

Obfuscated LightShow code (Mandiant)

The payload’s role is to patch kernel routines used by EDR (Endpoint Detection and Response) software, helping the intruders evade detection.

North Korean hackers previously targeted security researchers involved in vulnerability and exploit development by creating fake online social media personas that pretended to be vulnerability researchers.

These personas would then contact other security researchers about potential collaboration in vulnerability research.

Free Webtools for your daily use: visit freepiktools

Related Articles:

Technogeek Online
Technogeek Onlinehttps://technogeek.online
Technogeek Online mission is to be a digital for technical decision-makers to gain knowledge about transformative technology. We deliver essential information on cyber technologies and strategies to guide you as you lead your organizations. We are inviting you to become a member of our community.


- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories


Please enter your comment!
Please enter your name here