McAfee security researchers first released detailed information on Operation North Star earlier this year, highlighting the campaigns conducted by Lazarus Group (Hidden Cobra) targeting defense and aerospace companies in a social engineering and phishing campaign. McAfee’s coverage showed that the campaign was larger than previously thought. In the McAfee report, the actors behind Operation North Star were unknown, however, further analysis of the operation revealed identical attack tactics of the Lazarus group. Lazarus allegedly works out of North Korea on behalf of Pyongyang.
The spear-phishing emails and LinkedIn messages seemingly originate from job recruiters and lure victims into opening malicious attachments. Lazarus is a sophisticated APT, and utilize legitimate recruitment advertisements taken from US defense contractor websites to boost authenticity. The newest research from McAfee shows how the hackers work using two stages of malware implants, one allowing them to gather preliminary data to determine whether the victim is high value enough to continue with the attack, and the other to overtake the victim’s network. The second stage consists of the implant Torisma, which is a custom-developed tool that monitors high-value victims’ systems and boasts sophisticated detection evasion techniques.
Read More: This hacking group is using previously unknown tools to target defence contractors