- Researchers have fooled North Korean hackers with a fake job advertisement
- They were forced to use a sandbox that they thought was a real laptop.
- This provides valuable information about your tactics.
Research carried out by BCA Ltd founder Mauro Eldritch, in collaboration with Northern Exploration and ANY.RUN observed the infamous Lazarus Group in one of its most infamous schemes: the “harmful interviews” campaign. As part of this project, workers in the Democratic People’s Republic of Korea attempt to entice legitimate recruiters to hire them at high-profile companies, positions they can use to carry out malicious activities.
Investigators from this intelligence agency managed to catch the hackers using what the hackers believed were “real laptop developers” but were in reality remote ANY.RUN sandbox environments.
In the latest campaign observed, hackers recruited real engineers as frontmen and offered them 20 to 30 percent of their salaries in exchange for attending interviews and meetings.
Chollima celebrates
By tricking the criminals, known as Famous Chollima, into using the sandbox, researchers were able to uncover their tactics and a limited but powerful set of tools that allowed them to take control of identities without using ransomware.
Criminals appear to be using browser-based OTP generators, AI automation tools, and Google Remote Desktop to bypass 2FA and provide constant host monitoring.
This is not particularly surprising, as we have seen many different iterations of these attacks with evolving technical tools and strategies. Recently the FBI issued a statement Warning of attacks by North Korean hackers,
“North Korea’s social engineering efforts are complex and extensive, often compromising victims with sophisticated technical acumen. Given the scale and persistence of these malicious activities, even those familiar with cybersecurity practices may be vulnerable to North Korea’s determination to compromise networks associated with cryptocurrency holdings.”
This research allows security teams to gain more detailed information about how these criminal groups operate and businesses can have more confidence in their defenses. It is important that companies understand the common tools they use, as a compromise can lead to much greater infiltration.