Full Report
Executive Summary We are in the midst of an economic slump [1], with more candidates than there are jobs, something... The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blog.
Analysis Summary
# Threat Actor: Hidden Cobra (Attributed to North Korea)
## Attribution & Identity
**Identification:** Threat actor group referred to by the U.S. Government as Hidden Cobra, which is an umbrella term for North Korean state-sponsored threat groups.
**Associated Groups:** Lazarus, Kimsuky, KONNI, and APT37.
## Activity Summary
McAfee ATR observed a targeted campaign in 2020 leveraging high-quality job postings, primarily from leading defense contractors, as lures in malicious documents. This campaign targeted individuals with specific skills relevant to the fake job postings. The activity is assessed to be a continuation of similar campaigns observed in 2017 and 2019. The primary goal of the 2020 activity was to install data-gathering DLL implants to classify the value of the target by collecting basic machine information. The actor has since expanded this false job recruitment lure campaign to other sectors, including finance (e.g., a document masquerading as a finance role at an animation studio).
## Tactics, Techniques & Procedures
- **Luring:** Spear-phishing using malicious documents containing legitimate job postings from major defense contractors (2017, 2019, 2020 campaigns).
- **Execution:** Use of Visual Basic code to execute the implant.
- **Payload Delivery:** Use of malicious DLL implants designed for data gathering.
- **Persistence:** Covered in the analysis but specific mechanisms were not detailed in the summary portion.
- **C2 Infrastructure:** Compromised infrastructure from multiple European countries used for hosting C2 and distributing implants.
- **Functionality Similarity:** Core functionality between 2019 and 2020 implants showed high similarity.
## Targeting
- **Sectors:** Aerospace & Defense (primary focus in 2017/2020), expanded to include Finance (in related 2020 activity).
- **Geography:** Campaigns impact the security of South Korea and foreign nations.
- **Victims:** Individuals employed by defense contractors, targeted based on the content of the lure documents/job descriptions.
## Tools & Infrastructure
- **Malware Families Used:** Data gathering DLL implants.
- **Infrastructure (C2, domains, IPs):** Compromised infrastructure located in multiple European countries.
## Implications
This actor group demonstrates sustained interest in gaining intelligence regarding key military and defense technologies over several years (2017, 2019, 2020). The use of convincing, real-world lures (job postings) indicates a high level of social engineering capability, effectively hiding their activity during an economic downturn. The current focus on target classification post-infection suggests espionage as a primary objective.
## Mitigations
- Caution regarding unsolicited job offers, especially those promising high compensation or related to sensitive industries.
- Deep inspection of attached documents, paying close attention to Visual Basic macros.
- Monitoring for reconnaissance activity immediately following successful document opening, as the implant's first stage seems focused on victim identification.
- Network monitoring for connections to compromised foreign infrastructure.