FBI, DHS expose North Korean government malware used in fake job posting campaign

Written by

The FBI and DHS’ cybersecurity agency exposed malware Wednesday that North Korean government hackers have been using this year to target defense contractors in the military and energy sectors.

The hackers have been targeting contractors with fake job postings from other defense contracting entities to lure them to click through and install the data-gathering implant on their systems, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint Malware Analysis Report (MAR). The attacks leverage a remote access trojan (RAT), which the FBI and the CISA call “BLINDINGCAN,” to gain a foothold into networks and then maintain access for further network exploitation, the FBI and CISA said.

The hackers, belonging to a group the U.S. government calls Hidden Cobra, have been using the malicious software in an effort to collect intelligence surrounding key military and energy technologies, the FBI and CISA said. As part of their lures, the North Korean hackers at times appeared to use logos and imagery from Boeing in Microsoft Word documents that were compressed into .zip files, according to the MAR. Some of the documents suggested they were “human resources department” files.

The campaign appeared to be similar to a North Korean government hacking campaign that has recently targeted the Israeli defense sector, a campaign identified by the Israeli Ministry of Defense last week. The campaign also uses fake job offers and impersonates CEOs on LinkedIn to target victims, according to the Israeli government. ClearSky, an Israeli security firm, which found some of the campaign has been carried out through WhatsApp messages, said some of the intrusions were successful.

North Korean government-linked hackers perennially use LinkedIn as a vector through which to run their intelligence-gathering operations, according to security researchers. McAfee researchers just last month ousted a similar LinkedIn campaign run by suspected North Korean hackers seeking to infiltrate aerospace and defense firms in April. It wasn’t clear if the campaigns were identical, but at least two of the files shared by the government, including a downloader and a trojan, matched indicator of compromise from that campaign.

According to FireEye analysis shared with CyberScoop, the campaign the U.S. government called out today is from April of this year like the McAfee-identified campaign, but related activity tracks as far back as November of last year, and even possibly activity in 2018. The campaign, which FireEye dubs “CUTELOOP” and “AIRDRY,” also goes beyond defense contractors — the North Korean hackers have also targeted the media sector, a Senior Analyst at FireEye’s Mandiant Threat Intelligence, Fred Plan, told CyberScoop.

“The campaign focused on defense contractors and aerospace companies based in the U.S. and Europe, though the media sector was also impacted,” Plan told CyberScoop. “[M]alware overlaps link it to much older North Korean operations, including activity targeting cryptocurrencies in 2018.”

Fake job offers are prevalent in North Korean hacking — the FBI has previously identified a North Korean spearphishing campaign containing fake offers in 2016 and 2017.

The FBI and CISA shared the BLINDINGCAN malware in order to expose malicious cyber activity from the North Korean government, as well as to help the private sector and government network defenders protect against intelligence-gathering cyber-operations. It appeared to be part of a broader effort the U.S. government has initiated in the last several years to share more information about adversarial threats to try to force adversaries to stop running malicious cyber-operations and to signal to them the U.S. government has the capability to unearth their intelligence missions.

In the last two years the Pentagon’s Cyber Command, the offensive cyber-operations arm of the Department of Defense, the National Security Agency, the FBI, DHS’ CISA, and the State Department worked to expose adversarial hacking operations with an increasing tempo. Cyber Command in particular has repeatedly called out North Korean financially-linked cyber-operations over the last year, as the regime seeks to fill its coffers amid international sanctions.

The BUILDINGCAN campaign, which the FBI and CISA said began early this year, uses a series of malware variants with several proxy servers to carry out its intelligence-gathering, according to the MAR. The North Korean hackers use compromised infrastructure in multiple countries to host their attacker-controlled command and control infrastructure to help deploy the RAT, they said.

“FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” according to the MAR, which shares multiple indicators of compromise linked to the campaign.

The North Korean malware is capable of executing files, collecting information on installed disks, starting or creating processes, modifying timestamps, as well as covering up its tracks by deleting malware and associated artifacts, according to the U.S. government.

It was not immediately clear if the campaign is actively targeting the U.S. defense sector, but the malware focuses on defense contractors in the U.S. And Europe, Mandiant’s Plan told CyberScoop. It was not clear if the BUILDINGCAN campaign was related to the North Korean campaign identified by the Israeli Ministry of Defense and ClearSky.

Fred Plan, Senior Analyst, Mandiant Threat Intelligence

McAfee declined to comment for this story.