top of page

ESET Research discovers an attack led by Lazarus hijacking Whatsapp and Linkedin

ESET Research discovers an attack led by Lazarus hijacking Whatsapp and Linkedin, aimed at contractors around the world in the Aerospace and Defense sectors.

• During the annual ESET World conference, ESET researchers presented a new survey conducted by the APT Lazarus Group targeting defense contractors worldwide. This operation was carried out between the end of 2021 and March 2022.

• ESET telemetry locates targets in Europe (France, Italy, Spain, Germany, Czech Republic, Netherlands, Poland and Ukraine), the Middle East (Turkey, Qatar) and Latin America (Brazil).

• The APT Group used services such as LinkedIn and WhatsApp to carry out its fake recruitment campaigns.

• According to the US government, Lazarus is linked to the North Korean regime.

At the annual ESET World conference, ESET researchers presented a new investigation into the infamous APT Lazarus group. Jean-Ian Boutin, Director of Threat Research at ESET, presented the multiple campaigns operated by the Lazarus group against defense contractors, on a global scale, between the end of 2021 and March 2022.

According to ESET telemetry, Lazarus targeted companies in Europe (France, Italy, Germany, Netherlands, Poland and Ukraine) and Latin America (Brazil).

Although the main objective of this operation was cyber espionage, the group also attempted to exfiltrate sums of money (without success). “The APT Lazarus group has been ingenious in deploying an interesting set of tools, including for example a user-mode component capable of exploiting a vulnerable Dell driver to write to kernel memory. This advanced technique has been used in an attempt to circumvent the monitoring of security solutions. explains Jean-Ian Boutin.

As early as 2020, ESET researchers had already documented a campaign by a subgroup of Lazarus against European aerospace and defense contractors, called “Operation In(ter)ception”. It was distinguished by the use of social networks, in particular LinkedIn, to establish a relationship of trust between the attacker and an employee, before sending him malicious components disguised as job descriptions or applications. At the time, companies in Brazil, the Czech Republic, Qatar, Turkey and Ukraine were targeted.

ESET researchers assumed the action was aimed primarily at European companies, but by following a number of Lazarus sub-groups running similar campaigns against defense companies, they quickly found that the campaign was much broader. . While the malware used in the different campaigns was different, the original modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee via LinkedIn and ended up sending him malicious components.

ESET researchers also noted the reuse of elements from legitimate recruitment campaigns to add credibility to their fake recruitment campaigns, as well as the use of services such as WhatsApp or Slack.

Fake recruitment campaign by Lazarus

In 2021, the US Justice Department indicted three computer programmers for cyberattacks while working for the North Korean military. According to the US government, they belonged to the North Korean military's computer unit, known in the community as the Lazarus Group.

Along with the new Lazarus study, ESET gave a presentation on “Cyberwarfare past and present in Ukraine” at the annual conference. Robert Lipovský, researcher at ESET, examined in detail Russia's cyberwar against Ukraine, including the latest attempt to disrupt its power grid using Industrialer2 and different data erasure attacks.

Joining ESET Research at ESET World, former Commander of the International Space Station and key figure in ESET's Progress Protected campaign, Canadian astronaut Chris Hadfield, joined ESET CEO Richard Marko to discuss intricacies of technology, science and life.

About ESET

For more than 30 years, ESET® has been developing IT security software and services to protect the digital assets of companies, critical infrastructures and consumers around the world against cyber threats. We protect fixed and mobile terminals, collaborative tools and provide incident detection and processing. Established around the world, our R&D centers collect and analyze cyber threats to protect our customers and our digital world.

4 views0 comments


bottom of page