Cybersecurity researchers this week identified that the Lazarus Group – a loose affiliation of cybercrimals believed to work for the North Korean government – launched a campaign using employment phishing lures targeting the United States defense sector. According to Qualys Treat Research, which identified the campaign, the group could be targeting job applicants by posting fake listings for American aerospace/defense company Lockheed Martin.
The Lazarus Group had previously posed as other defense companies – including Northrop Grumman and BAE Systems – in similar catfishing schemes. The cybersecurity researchers have called this campaign as “LolZarus” due to the use of different LOLBins in observed samples, and some of which are the LOLBin’s first recorded usage by such a well-known adversary.
High-Tech Campaign
LOLBins or “Living Off the Land Binaries” are essentially binaries of a non-malicious nature, local to the operating system, that have been utilized and exploited by cyber criminals and crime groups to camouflage their malicious activity.
The term “Living Off the Land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. According to the cybersecurity research firm Cynet, “there are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts.”
In other words, these are legitimate system utilities and tools that can be employed for malicious purposes. As such, it allows them to blend in with regular network activity and remain hidden.
In this case, the Lazarus Group’s campaign works by attacking hopeful job applicants in the defense industry by sending targeted phishing documents pretending to offer employment opportunities. The documents contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents and even create scheduled tasks for persistence.
“These types of phishing attacks are a perfect example of how threat actors easily compromise systems in an organization. They are almost impossible to defend against despite email security and employee training,” warned Saryu Nayyar, CEO and founder of cybersecurity research firm Gurucul.
“Outside of the initial compromise methodology, it is especially hard for security teams to identify this new attack out of the gate until a threat research team uncovers and analyzes the campaign,” Nayyar told ClearanceJobs via an email. “In this case is a new variant of attacks typically used by a known state-sponsored hacking group. The worst part is that it uses capabilities that mimic real activity to further hide malicious intent.”
Even with the right tools, it remains a serious challenge for security teams to identify the campaign once the initial compromise occurs based on the various techniques used because slight changes in creating the variant often circumvent current detection capabilities.
“Customers need to invest more in behavioral based analytics solutions, that not baselines normal user and asset activity, but can self-learn what is normal and abnormal in order to better prioritize threat activity,” added Nayyar. “Rule-based machine learning (ML) models cannot do this pro-actively and require a vendor update based on the discovered research. This does not provide immediate detection against these previously-unknown variants.”
Fake Job Listings on the Rise
This is just the latest threat involving fake job listings, and last April the Federal Bureau of Investigations (FBI) issued a warning that cybercriminals have increased their use of such listings to target applicants to gain personally identifiable information.
“Fake Job or Employment Scams occur when criminal actors deceive victims into believing they have a job or a potential job. Criminals leverage their position as ’employers’ to persuade victims to provide them with personally identifiable information (PII), become unwitting money mules, or to send them money,” the FBI cautioned.
According to the FBI’s Internet Crime Complaint Center (IC3), 16,012 people reported being victims of employment scams in 2020, with losses totaling more than $59 million.
What to Look for in A Fake Job Posting
Spotting fake job listings can be increasingly challenging, as criminals often spoof a legitimate company’s website and even create a domain name similar in appearance to a legitimate company. In addition, fake job openings can be posted on popular job boards that direct applicants to the spoofed sites.
After an applicant responds, they may be contacted by email to conduct an interview using a teleconference application. According to victims, cyber criminals impersonate personnel from different departments, including recruiters, talent acquisition, human resources, and department managers.
Cyber criminals executing this scam request the same information as legitimate employers, making it difficult to identify a hiring scam until it is too late, the FBI also warned.
However, there are some indications of this scam the FBI also noted. These may include:
- Interviews are not conducted in-person or through a secure video call.
- Interviews are conducted via teleconference applications that use email addresses instead of phone numbers.
- Potential employers contact victims through non-company email domains and teleconference applications.
- Potential employers require employees to purchase start-up equipment from the company.
- Potential employers require employees to pay upfront for background investigations or screenings.
- Potential employers request credit card information.
- Potential employers send an employment contract to physically sign asking for PII
- Job postings appear on job boards, but not on the companies’ websites.
- Recruiters or managers do not have profiles on the job board, or the profiles do not seem to fit their roles.
The FBI also cautioned that even if a job offer sounds legitimate, applicants should never send money to anyone they meet online, especially via wire transfer. In addition, legitimate employers will not ask for personal credit card information, and bank information should not be provided to anyone without verifying their identity. Finally, do not accept any job offers that ask you to use your own bank account to transfer a company’s money – no legitimate company would ever ask you do to so.
