Warning: N. Korean Job Scams Push Trojans via LinkedIn

Weird things are happening on LinkedIn. Scammers, believed to be working for North Korea, are creating fake profiles and targeting job applicants.

It seems they’re targeting certain companies so they can steal private information with Trojans. Sneakily, they’re weaponizing well-known open source apps, such as PuTTY, TightVNC and Sumatra PDF Reader.

AWS Builder Community Hub

Hey, hey, DPRK, how many people will you scam today? In today’s SB Blogwatch, we piece together the puzzle.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Top 5 creepy sites.

슬기론 인민의 이 영광

It all started when Brian Krebs peddled this oddity—“Fake CISO Profiles on LinkedIn”:

Hackers working for the North Korean government
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations [e.g.] Chevron … ExxonMobil … Biogen. … LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise.

LinkedIn said its teams were actively working to take these fake accounts down. … We don’t know much about who or what is behind these profiles, but in August the security firm Mandiant [said] hackers working for the North Korean government have been copying resumes and profiles … as part of an elaborate scheme to land jobs at cryptocurrency firms.

But why? notacoward hits us with their best shot:

Seems [like] an attempt to intercept some sort of inside information via the impersonators. Like phishing, to which it’s related, this would be low yield but even lower effort (and zero cost).

And then the other shoe dropped. Bring in Dan Goodin—“Numerous orgs hacked after installing weaponized open source apps”:

The hackers then pose as job recruiters
Hackers backed by the North Korean government are weaponizing well-known pieces of open source software. … ZINC—Microsoft’s name for a threat actor group also called Lazarus … best known for conducting the devastating 2014 compromise of Sony … has been lacing … legitimate open source applications with highly encrypted … espionage malware.

The hackers then pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. After developing a level of trust over a series of conversations and eventually moving them to the WhatsApp messenger, the hackers instruct the individuals to install the apps, which infect the employees’ work environments.

Yikes. And Laura Dobberstein has more—“North Korean crew posing as LinkedIn recruiters”:

Educating end users can go a long way
The payloads were either packed with commercial software implants like Themida and VMProtect or encrypted with custom algorithms, which is decrypted using a custom key in the DLL. … Once in, the threat actors use custom remote access tools like FoggyBrass and PhantomStar.

LinkedIn’s Threat Prevention and Defense outfit detected ZINC making fake profiles and targeting engineers and tech support professionals in the past, and when they do, they shut them down. However, educating end users can go a long way in protecting personal and business information.

This is why I never connect with anyone on LinkedIn who I don’t already know. B neither:

I personally had one of these fake CISOs contact me at one point. Not sure if it’s the same attacker, I noticed that they had created multiple CISOs for the same company. Got a very templated looking message, asking to be LinkedIn friends.

But this seems surprisingly clever. Here’s jhodge:

If Kim Jong-un knows what he’s doing—and he does—I’m sure that the various military, industrial, scientific, technical, etc. leaders and key personnel live … with the knowledge that they have so very much to lose. North Korea is a disgusting regime, but let’s not make the mistake of thinking that makes them stupid or incompetent.

What was that about educating end users? Educating how? Mike 137 has this suggestion:

Such education as, “Don’t bother with LinkedIn any more.” It was once … moderately useful, but since the MS takeover it’s degenerated into a third class source of spam and fraudulent probes.

Unfortunately though, a lot of recruiters won’t look at you if you’re not on it … because they can’t be ***ed to look at multiple separate reference points, but just go exclusively to LinkedIn as that’s the least effort route to getting their commission. The candidate is just sausage filling.

Meanwhile, when life gives you lemons, Golgo1 is making lemonade:

Job interviewers can learn from this. As part of the hiring process … ask the applicant to download and install some popular software from a non-official source. If they agree, that’s one more application you can toss.

And Finally:

But is it art?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Roman Harak (cc:by-sa; leveled, cropped and macroed)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi