A phishing lure disguised as a legitimate inquiry by a recruiter for a new job opportunity inserts a malicious template into an attached Word document, which then gathers intelligence on the target, usually a highly-skilled technology worker in the aerospace and defense industries.
The attack, dubbed Operation North Star, was discovered by researchers in McAfee’s Advanced Threat Research team. In a recent blog post, the researchers indicated that the attackers were mainly trying to gain intelligence on targeted high-tech workers.
Christiaan Beek, lead scientist and senior principal engineer for McAfee, added that the techniques, tactics and procedures (TTPs) of Operation North Star are very similar to previous campaigns McAfee researchers observed in 2017 and 2019.
While the McAfee researchers don’t know for sure, Beek said the attack appears very similar to the TTPs used in the earlier attacks by Hidden Cobra, an umbrella term used to refer to threat groups attributed to North Korea by the U.S government. Hidden Cobra consists of threat activity from groups the security industry labels Lazarus, Kimsuky, KONNI and APT37. The cyber-offensive programs attributed to these groups have been documented for many years. Their goals range from gathering data around military technologies to crypto currency theft from leading exchanges.
Raj Samani, chief scientist and McAfee fellow, said this recent campaign used malicious documents to install malware on the targeted system using what’s known as a template injection attack. This technique lets a weaponized document download an external Word template containing macros that are later executed. Samani said bad threat actors use template injection attacks to bypass static malicious document analysis, as well as detection, adding that malicious macros are embedded in the downloaded template.
“These malicious Word documents contained content related to legitimate jobs at leading defense contractors,” Samani said. “All three of these organizations have active defense contracts of varying size and scope with the U.S. government.”
Samani added that the Word documents with the job information were sent to an unknown number of targets from March 31 to as recent as this past week. He said the McAfee team found that Operation North Star targeted highly-skilled defense and aerospace workers in the United States, Europe and South Korea. The victims would receive an email with an attachment that contained information about the potential job, something that happens every day.
“They were looking to prey on people’s willingness to learn about new jobs,” Samani. “It’s a very normal thing that happens all the time in the security industry. The attackers count on that most job seekers won’t report anything suspicious to their supervisors because they wouldn’t want them to think they are leaving the company.”
Ken Liao, vice president of cybersecurity strategy at Abnormal Security, said that these kind of targeted social engineering-based email attacks are the top risk facing today’s workers,
“Malicious actors won’t hesitate to weaponize widespread economic uncertainty, which appears to be the case with these hackers targeting job seekers,” Liao said. “Employees need to be vigilant, and should never click on an attachment that they are not 100 percent certain is from a trusted source. Employers share the responsibility, and need to automatically detect signals coming from email that could pose a threat.”
Brandon Hoffman, head of security strategy and CISO at Netenrich, said while the methods used are highly interesting to a technical audience, the security-related takeaways are not all that dramatically different from other campaigns that security researchers see regularly.
“Breaking down the campaign to its simplest terms, it used phishing techniques, Word documents, DLLs and libraries for persistence and is still reliant on command and control for objective completion,” Hoffman said. “While this campaign was clearly advanced and targeted, basic protections such as security awareness, phishing protection, a solid endpoint protection strategy, and quality threat intelligence that’s operationalized would likely have made the bar significantly higher for this campaign’s success.”
