Microsoft has claimed a North Korean crew poses as LinkedIn recruiters to distribute poisoned versions of open source software packages.
The state-sponsored group has been around since 2009 and was allegedly behind the 2014 attack on Sony Pictures in retaliation for the controversial Seth Rogen comedy The Interview.
Dubbed “ZINC”, the threat actors have previously run long-term phishing schemes targeting media, defence and aerospace, and IT services organizations in the US, UK, India, and Russia.
Starting in June of this year, ZINC relied on social engineering tactics: contacting targets on LinkedIn and claiming to be a recruiter, establishing trust with targets, and switching communications to WhatsApp where they delivered shellcode from the ZetaNile malware family.
The payloads were either packed with commercial software implants like Themida and VMProtect or encrypted with custom algorithms, which is decrypted using a custom key in the DLL.
“By encoding the victim information in the parameters for common keywords like gametype or bbs in the HTTP POSTs, these C2 communications can blend in with legitimate traffic,” sad Microsoft.
The open-source software included PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer. Once in, the threat actors use custom remote access tools like FoggyBrass and PhantomStar.
Microsoft said the purpose of the attacks appear to be run-of-the-mill cyberespionage and attempts to steal money or data, or just corporate network sabotage.
If the group has been around since 2009, why bring it up now?
“Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions,” said Microsoft.
LinkedIn’s Threat Prevention and Defense outfit detected ZINC making fake profiles and targeting engineers and tech support professionals in the past, and when they do, they shut them down. However, educating end users can go a long way in protecting personal and business information.
Microsoft has advised scanning for indicators of compromise (IOC) and traffic from certain IP addresses. Reviewing authentication requirements for remote access, and ensuring use of multifactor authentication, is also recommended. ®