A spy campaign by North Korean group Lazarus that was uncovered by Google researchers has now turned to chemical sector organizations in South Korea, according to a report by cybersecurity firm Symantec.
Google released a report in March identifying two North Korean government hacking campaigns that exploited Google Chrome 0-day CVE-2022-0609.
One of them – Operation Dream Job – had been running since at least August 2020 and most recently targeted more than 250 people working for 10 different news media, domain registrars, web hosting providers and software companies.
The campaign saw hackers send out emails claiming to be from Disney, Google and Oracle recruiters with fake potential job opportunities. The emails contained links spoofing legitimate job search websites like Indeed and ZipRecruiter, according to Adam Weidemann of Google Threat Analysis Group.
Symantec’s Threat Hunter team said Operation Dream Job has now been expanded to target organizations in the chemical and IT sectors in South Korea.
They were able to link activity to Operation Dream Job based on file hashes, filenames, and tools seen in previous Dream Job campaigns.
“The Lazarus Group is likely targeting organizations in the chemical sector for intellectual property to further North Korea’s own activities in this area,” Symantec explained.
“The group’s continuation of the Dream Job operation, as evidenced by Symantec and others, suggests that the operation is sufficiently successful.”
The company noted that the typical attack starts with a malicious link in an email and sets off a chain of events that eventually allows hackers to enter a system and move laterally within a network at the same time. Windows Management Instrumentation (WMI) Help.
“In some cases, attackers have been spotted dumping registry credentials, installing a BAT file in a likely effort to gain persistence, and using a scheduled task configured to run as attackers have also been observed deploying post-compromise tools, including a tool used to take screenshots of web pages viewed on the compromised machine at set intervals (SiteShoter),” said Symantec.
“They were also seen using an IP logging tool (IP Logger), a protocol used to turn on computers remotely (WakeOnLAN), a file and directory copier (FastCopy) and the transfer protocol of files (FTP) running under the MagicLine process.”
They provided a detailed case study of an intrusion that took place from January 17 to 20.
On Thursday, the US Treasury’s Office of Foreign Assets Control (OFAC) attributed one of the largest decentralized financial (DeFi) hacks ever to the Lazarus Group and sanctioned the group.
Chainalysis, a company that tracks illegal blockchain transactions, said in a January report that hackers working for the North Korean government and the Lazarus Group allegedly stole nearly $400 million worth of cryptocurrency from seven hacked companies while throughout 2021.