According to Google TAG researchers, a spear-phishing campaign targeting South Korean security organisations that market anti-malware solutions was carried out by a North Korean-linked APT group posing as Samsung recruiters. The state-sponsored hackers, according to the Google Threat Horizons report, issued false job offers to employees at security firms. In previous campaigns, the same gang, known as Zinc, attacked security experts, according to Google TAG researchers.
“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report.
According to Google, the emails included a PDF that purported to be a job description for a position at Samsung, but the PDFs were malformed and wouldn't open in a conventional PDF reader. If the targets complained that they couldn't open the job offer archive, the hackers promised to assist them by providing a link to a "Secure PDF Reader" app that they could download.
Google, on the other hand, claims that this file was a modified version of PDFTron, a genuine PDF reader, that was altered to install a backdoor trojan on the victims' machines.
The Zinc APT group, also known as Lazarus, increased its activities in 2014 and 2015, and its members generally utilised custom-tailored malware in their assaults. This threat actor has been active since at least 2009, and potentially as early as 2007, and has been involved in both cyber espionage and sabotage campaigns aiming at destroying data and disrupting systems.
The threat actor's methods have baffled the security community, which believes the organisation tried to obtain unreleased vulnerabilities and exploits from some of their naive and negligent members, as tracked by Microsoft under the codename "Zinc."
The attacks were ascribed to the same team of North Korean hackers who previously attacked security researchers on Twitter and other social networks in late 2020 and into 2021, according to the Google Threat Analysis Group, the Google security team that discovered the malicious emails.
The attack against South Korean antivirus makers could be different since compromising their employees could give the group access to the tools they need to launch a targeted supply chain attack on South Korean enterprises that use their anti-malware software.
