North Korean hackers use a fake security company and social media accounts as part of a widespread campaign to trick cybersecurity researchers with malware.
Hackers have leveraged at least two fake accounts on LinkedIn that impersonate recruiters appearing to be from antivirus software and security companies. One of the recruiters, supposedly named “Carter Edwards,” works at a company allegedly named “Trend Macro,” which someone quickly searching for a new information security job may confuse with the real security company Trend Micro.
The campaign also relies on some Twitter accounts.
The fake business, which the hackers call “SecuriElite,” claims to be based in Turkey and focused on offensive security, penetration tests, software security assessments and exploits.
The hackers set up this company in March 2021. The Twitter account that appears to be linked with the fake firm has only tweeted once and has only one follower.
It is not the first time these suspected North Korean hackers have set up a fake website and social media accounts meant to compel other security researchers into alleged collaboration, only to deceive them into downloading malware.
Google previously exposed an earlier iteration of the campaign, which boasted a seemingly legitimate security blog and opportunities for targets to research a vulnerability with the blog owners.
In that case, even fascinated targets who just clicked to look at the blog were infected, even if they had updated Windows 10 and Chrome browser versions.
The revelation that the hackers have set up a new arm of the campaign in recent days, however, suggests they don’t appear to be deterred after their prior exposure.
Although Google said the hackers are linked with a government-backed entity, they do not name the specific group of attackers.
The hackers have not appeared to target any researchers with malware using the SecuriElite part of the campaign yet. But the website offers a link to their PGP public key, a link the previous version of the campaign provided to distribute a browser exploit.
The previous campaign, which did target victims with malware, leveraged accounts on Twitter, LinkedIn, Telegram, Discord and Keybase, and sent emails to potential victims.
Google said it had contacted LinkedIn and Twitter for possible takedown efforts targeting the latest social media accounts the team has unearthed. Both social media platforms removed the accounts.
“Our terms prohibit the use of LinkedIn for any criminal activity, and we actively seek out signs of state-sponsored activity and quickly take action against bad actors on the platform,” a LinkedIn spokesperson told CyberScoop.
“All of the accounts you referenced were permanently suspended for violating the Twitter Rules. If we can reliably attribute any activity to state-backed actors, we will disclose accounts and associated content to our archive of information operations,” a Twitter spokesperson said.
Some North Korean hackers posed as job recruiters in 2016 and 2017 to break into the computer systems at Lockheed Martin, according to the Department of Justice.
More recently, hackers associated with North Korea’s government known as Lazarus Group targeted people working for Israel’s defense sector with false job offers last year as a part of a larger espionage campaign, according to Israel’s Ministry of Defense. North Korean hackers have also recently targeted employees at aerospace and defense firms with malicious Microsoft Word documents, according to McAfee researchers.
Secure your web apps with our web app isolation.
Read more about this: Source