A recent attack on an undisclosed Spanish aerospace company all started with messages to the company's employees that appeared to be coming from Meta recruiters, via LinkedIn Messaging. ESET researchers uncovered the attack and attributed it to the Lazarus group, particularly a campaign dubbed Operation DreamJob. This campaign by the Lazarus group was aimed at defense and aerospace companies with the goal of carrying out cyberespionage.
Initial messages sent to the aerospace company's employees claimed to be from a recruiter for Meta. They started with a friendly tone from the very beginning, a tactic designed to get victims to let their guards down:
Subsequent messages to some victims included an attacker-provided, trojanized PDF viewer to view the full job offer, while others were encouraged to connect with a trojanized SSL/VPN client, being provided with an IP address and login details, under the guise of proving their C++ programming language abilities.
Two coding challenges were sent as a part of the supposed hiring process. The initial challenge consists of a straightforward project that displays the phrase "Hello, World!" while the second challenge prints a Fibonacci sequence - a series of numbers where each number is the sum of the two numbers that came before it.
These "challenges" delivered malicious payloads to the victims, including a sophisticated remote access trojan (RAT) that ESET calls LightlessCan. This new RAT mimics a set of native Windows commands, allowing it to run its executions undetected. Lazarus also made sure the payload would only be encrypted on the specific victim's machine to avoid maximum exposure.
This isn't the first time we've seen employees get duped by cybercriminals posing as recruiters, and it won't be the last. New school security awareness training can help employees learn to recognize and fend off malicious activity designed to lure job-seekers.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.