North Korean-associated hacking outfit Lazarus Group has been actively utilising Trojanized Virtual Network Computing (VNC) applications to target professionals in the defence and nuclear industries, part of an ongoing scheme known as Operation Dream Job.
The targeted businesses are predominantly those directly engaged in defence manufacturing, including those that produce radar systems, unmanned aerial vehicles, military vehicles, ships and weaponry.
According to Kaspersky's Advanced Persistent Threat (APT) trends report for the third quarter of 2023, the threat actors are using social media platforms to ensnare job seekers into activating these malicious applications.
The Trojanized VNC applications are engineered to operate discreetly to evade detection from behaviour-based security mechanisms.
Once activated by the user, these nefarious applications download additional payloads, compromising the target system or network infrastructure.
#ESETresearch uncovered a #Lazarus attack against an aerospace company in ????????, deploying several tools, most notably a publicly undocumented and sophisticated RAT we named LightlessCan. The attack is part of Operation DreamJob. @pkalnai https://t.co/VK9nGEn2Gp 1/6— ESET Research (@ESETresearch) September 29, 2023
About Lazarus Group
In the broader context, the Lazarus Group is part of a cluster of North Korean threat groups including APT37, APT43, Kimsuky and its own sub-groups, Andariel and BlueNoroff.
These groups have been adapting and evolving, as noted by Google-owned Mandiant, developing tailored malware for multiple platforms, including Linux and macOS.
This signals a broader shift in the tactics, techniques and procedures used by North Korean hacking entities, making attribution increasingly complex.
It's noteworthy that these advancements have been accompanied by a heightened focus on developing macOS malware, particularly targeting high-value individuals in the cryptocurrency and blockchain industries, according to Mandiant.