Looking to work for Meta? Make sure that job offer is legit. North Korean hackers have been spotted posing as recruiters for Facebook parent company Meta to trick users into loading malware on their computers.

The findings come from antivirus provider ESET, which recently investigated a 2022 breach at an unnamed Spanish aerospace company. ESET traced the intrusion to a hacker-controlled account on LinkedIn that was impersonating a recruiter for Meta.

The suspected North Korean hackers contacted multiple employees at the Spanish aerospace company using LinkedIn Messaging. “Masquerading as a Meta recruiter, the attacker used a job offer lure to attract the target’s attention and trust,” ESET says.

The "recruiter" sent prospective employees coding challenges, or quizzes, so they could demonstrate their programming skills. But in reality, the coding challenges were malicious software packages and included a downloader designed to “deploy any desired program into the memory of the victim’s computer,” ESET says.

Once the downloader was installed, the hacker delivered two different remote-access Trojans, which can hijack access to a PC. One of those Trojans was previously used in campaigns from the notorious North Korean group Lazarus, perhaps best known for their cryptocurrency heists and the 2014 Sony Pictures hack.

ESET also notes that employees who fell for the scheme were using “corporate computers for personal purposes." As a result, the North Korean hackers had easy access to the Spanish aerospace company’s network. “The final goal of the attack was cyberespionage,” possibly to

further North Korea’s own aerospace and nuclear weapons ambitions.

During the intrusion, the North Korean hackers also deployed a newly discovered remote-access Trojan, dubbed “LightlessCan,” which was found to be fairly sophisticated. For example, it can only be decrypted for activation on the intended victim’s PC. It’ll also mimic “the functionalities of a wide range of native Windows commands,” to hide itself from detection.

The remote-access Trojan shows Lazarus has found ways to further prevent antivirus providers from detecting their activities. “The attackers can now significantly limit the execution traces of their favorite Windows command line programs that are heavily used in their post-compromise activity,” ESET added. “This maneuver has far-reaching implications, impacting the effectiveness of both real-time monitoring solutions and of post-mortem digital forensic tools.”

By: DocMemory
Copyright © 2023 CST, Inc. All Rights Reserved