Cyber gangsters have hit 87 mostly defense and government targets in a 14-industry spearphishing operation disguised as legitimate job recruitment inquiries, McAfee reported.
In October and November 2018, the as-yet unidentified hackers lured victims into opening emails contained a “weaponized macro” that launched second stage malware coded to collect intelligence, according to the company's threat researchers. The prey’s personal data, including user names, IP addresses, network configuration and system settings, was then directed to a control server.
It’s not clear how much data the hackers made off with and McAfee shied away from naming the possible culprits. “We shall leave attribution to the broader security community,” McAfee senior analyst for major campaigns Ryan Sherstobitoff and malware researcher Asheer Malhotra wrote in a blog post. “Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”
McAfee, which named the ruse Operation Sharpshooter, suspects the attacks may be related to the infamous North Korean Lazarus Group said to be involved in the high-profile cyberattacks on Sony Pictures in 2014 and the destructive WannaCry ransomware assault last year. The second stage implant in the campaign, which McAfee is calling Rising Sun, uses source code from Lazarus’ 2015 backdoor Trojan Duuzer.
However, the Lazarus clues may be too transparent to be a telling lead, McAfee suggested. “Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” the researchers wrote. Job recruitment attacks using spearphishing techniques apparently aren’t novel but this particular second stage implant is new, Sherstobitoff and Malhotra said. “Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence,” they said.
At this point, there’s no way to tell if the attack was a “first-stage reconnaissance operation” or the beginning of a larger, more insidious series of hacks. “We will continue to monitor this campaign and will report further when we or others in the security industry receive more information,” the researchers said.
McAfee lists the industries aimed at by Operation Sharpshooter in the blog.