The notorious North Korea-based cybercriminal group, Lazarus, is involved in another phishing campaign targeting the defense industry. The APT group has been impersonating the Bethesda, Maryland-based company, Lockheed Martin, specializing in aeronautics, space, and military technology.
The cybercriminals group has been targeting job seekers with fake Lockheed Martin job offers. The campaign was uncovered by Akshat Pradhan, a Qualys Senior Engineer of Threat Research, on February 8.
Lazarus hackers target defense industry with fake Lockheed Martin job offers https://t.co/nSUpQH8yRS
— The Cyber Security Hub™ (@TheCyberSecHub) February 9, 2022
Lazarus is a state-sponsored hacking group that has ties to North Korea. The cybercriminals group has been behind some serious attacks in the past, including the WannaCry ransomware attack, as well as the Bangladesh Bank heist stealing more than $80 million. The group is also believed to be responsible for attacks against South Korean freight companies and supply chains.
In the current attack, Lazarus is sending phishing emails and documents to job seekers, pretending to offer Lockheed Martin employment opportunities. The job seekers are sent an email that contains attached documents, named “Lockheed_Martin_JobOpportunities.docx” or
“Salary_Lockheed_Martin_job_opportunities_confidential.doc.”
These documents contain malicious macros, and when clicked upon, they can trigger the shellcode that hijacks the control of the device and create scheduled tasks for persistence. Hackers also abuse Living Off the Land Binaries (LOLBins) to further compromise the target’s device. However, while attempting further payload, the Qualys team got an error, so the researchers are not sure what the end result could be.
“We attrtibute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other vendors,” says Pradhan.
This isn’t the first time Lazarus has attacked job seekers as F-Secure has also found samples of phishing emails as fake job offers that were sent to a cryptocurrency organization. Outpost24’s Blueliv cybersecurity team has named Lazarus, FIN7, and Cobalt as the most pervasive groups targeting cryptocurrency and other financial organizations.
This is not the first time we have seen cyberattacks related to job offers. Previously, North Korean state-sponsored hackers have been posing as Samsung company recruiters and sending phishing emails to job seekers with malicious documents.
Lazarus has also compromised various Windows systems last month by sending infected attachments to victims through which they are directed to a Windows/System32 folder.
According to ZDNet, a Lockheed Martin spokesperson said, “While we don’t discuss specific threats or responses, we have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems and data security.”
After the news of the attack, the company also dedicated a recruitment fraud page on its website. According to Lockheed Martin, some common scam identifiers include asking you to make payments for travel expenses or other small expenses. After the payment is complete, the threat actors never contact the victim.
