Skip to content

That job offer in your inbox might be part of a North Korean cyberattack

Professionals in the aerospace and defense industries should watch out; a wave of fake job offers containing malicious documents have been spotted in the wild by McAfee researchers.

Notification warning email on the laptop, Computer screen showing malware or virus alerts.

Image: iStockphoto/Sompong Lekhawattana

A wave of bogus job offer emails from leading aerospace and defense companies is actually a cybercrime campaign designed to harvest information about professionals in sensitive industries. Discovered by McAfee Advanced Threat Research (ATR), the campaign appears to have begun in April 2020 and was detected until mid-June, and there are telltale signs that the campaign is being orchestrated by known North Korean hacking groups

More about cybersecurity

Based on similarities, ATR found in the Visual Basic code used to execute the attack and familiar core functions, “the indicators from the 2020 campaign point to previous activity from 2017 and 2019 that was previously attributed to the threat actor group known as Hidden Cobra,” the report stated.

Hidden Cobra is a US Government umbrella term for North Korean threat groups Lazarus, Kimsuky, KONNI, and APT37, and like the campaigns in 2017 and 2019, this one has the apparent goal of “gathering intelligence surrounding key military and defense technologies,” ATR said. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The basis of the campaign is simple: Use legitimate job postings from leading defense contractors, turn them into fake job offers, and email them directly to aerospace and defense professionals who may be interested in that kind of position. The offer contains a malicious Microsoft Word document that, once opened, installs data harvesting software that will give the attacker access to sensitive personally identifying information about the victim. 

Like other attacks of this kind, there’s nothing new going on here–it’s a familiar spearphishing campaign that relies on a victim to open the malicious document and allow it to download and execute macros hidden in a template that is fetched from the attacker’s command and control server. 

Once the payload is executed, the attack runs macros that install malicious DLL files that ATR said are designed “to gather machine information from infected victims that could be used to further identify more interesting targets.” The DLLs used in the attack are modified versions of legitimate software DLLs, making it easier for the malicious file to go unnoticed.

Once installed, the DLL uses active evasion techniques by mimicking User-Agent strings of other applications so that Windows assumes it’s part of a legitimate application. It also adds a LNK file to the Windows startup folder to ensure persistence. 

Avoiding the threat

McAfee notes in its report that the campaign appears to be widening its targets, with examples being found of fake job offers at top animation companies and fake reports on US-Korean diplomatic relations targeting South Koreans. 

Common mitigation methods apply here, such as not opening attachments from potentially suspicious sources, verifying the source of an email, and not granting permissions for scripts or macros to run from downloaded files.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

McAfee ATR also recommends the following strategies for organizations whose members could be targeted: 

  • Have a threat intelligence program that keeps you up-to-date on threats to your particular industry or role.
  • Train users to detect potentially malicious messages: “Well-trained and ready users, informed with the latest threat intelligence on adversary activity, are the first line of defense,” the report said.
  • Ensure your end user device security is adaptable, updated, and able to detect fileless malware.
  • Use a secure web proxy to filter out known malicious websites and command and control domains. Keep it updated with the latest known threat intelligence.

Also see