A suspected North-Korean hacking group is targeting security researchers and media organisations in the U.S. and Europe using fake job offers on LinkedIn.
Spear-phishing tactics, that use job requirement themes, are being used to deploy three new custom malware families, Touchmove, Sideshow and Touchshift, a blog post from Mandiant said.
Cybercriminals start the attack by approaching targets on LinkedIn, posing as job recruiters, and switching over to WhatsApp to share a Word document embedded with malicious malware.
This malware are designed to perform remote-template injection that can fetch malicious code from compromised WordPress sites, which attackers use as command and control servers. These are then used to establish a foothold for a payload that disguises itself as a legitimate Windows binary. This is then used to load a backdoor called TouchShot onto victims’ device.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Attackers are using the tactic to perform arbitrary code execution, modify the registry, manipulate firewall settings, add scheduled tasks, and execute additional payloads.
In cases where victims’ devices were connected to organisations that did not use a VPN, threat actors were found abusing Microsoft Intune to launch further attacks.
The identified tools highlight continued malware deployment of news by threat actors. “Although the group has previously targeted defense, media, and technology industries, the targeting of security researchers suggests a shift in strategy or an expansion of its operations”, the post said.