Notorious North Korean threat actor Lazarus Group has been reported to be involved in a highly sophisticated, targeted malware attack that compromises popular open-source software and runs spear phishing campaigns.
As a result, it has managed to compromise “numerous” organizations in the media, defense and aerospace, as well as the IT services sector, a report (opens in new tab) of Microsoft has concluded.
The company alleges that Lazarus (or ZINC, as it calls the group) has compromised PuTTY, among other open source applications, with malicious code that installs spyware. PuTTY is a free and open-source terminal emulator, serial console, and network file transfer application.
But simply compromising open source software doesn’t guarantee access to the target organization’s endpoints — people still need to download and run the software. That’s where spear phishing comes in. By conducting a highly targeted social engineering attack on LinkedIn, the threat actors get certain individuals working at target companies to download and run the app. Apparently, the members of the group take on the identities of recruiters on LinkedIn, which provides people with lucrative jobs.
The app is specially tailored to avoid being detected. Only when the app connects to a specific IP address and logs in with a special set of credentials does the app launch the ZetaNile spy malware.
In addition to PuTTY, Lazarus managed to compromise KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording.
“The actors have successfully compromised numerous organizations since June 2022,” members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in a post. “Due to the wide use of the platforms and software ZINC uses in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple industries and regions.”
Lazarus is no stranger to fake offer attacks. After all, the group has done the same for crypto developers and artists, posing as recruiters for the likes of Crypto.com or Coinbase.