Share this article on:
Security researchers have uncovered a malware campaign using recruitment for jobs in the US Army as means of tricking victims into opening a malicious email attachment.
What makes the malware particularly interesting is that it is staged and managed from legitimate – but compromised – Korean online retailers. This means that the malicious traffic can blend in with the regular traffic from the retailer.
The attack chain probably begins with an email containing a .ZIP archive, according to the Securonix Threat Research team. The archive itself is named in Korean and is called “U.S. Army job posting website address and how to use it”.
Inside is a legitimate PDF called “Multi National Recruitment System”, completely in Korean, as well as another .ZIP archive, which contains the malicious .lnk version of the same file. The researchers note that this is admittedly odd behaviour, as it makes it possible the file won’t even be opened.
“Why the attackers zipped the .lnk file into its own zip file, we’re not quite sure as it does increase the odds that this could be missed in favour of the actual PDF file,” the research team said in a blog post breaking down the campaign.
The odd grammar and some spelling errors in one file, as well as the fact the attack seems to be targeting Korean speakers, leads the researchers to believe that the threat actors behind the campaign are likely North Korean and state-backed.
“Based on the source and likely targets,” the researchers said, “these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials”.
The attack chain also makes use of a third file in the .ZIP archive, called Thumbs.db, which is a common Windows file used to aid in faster browsing, so it could seem an innocuous inclusion.
In this case, however, Thumbs.db contains PowerShell code. Rather than embedding the malicious code in the .lnk file itself, it’s stored here and just called on by the .lnk file.
The code itself downloads a further two malicious payloads from a compromised website called jkmusic, and two scheduled tasks are created, which, in turn, create persistence and maintain daily contact with another compromised website.
The binary installed on a victim’s machine is “heavily obfuscated”, but the researchers did note it making HTTP requests to Korean online retailer notebooksell.
“Once the connection was established, the attackers were able to acquire system details such as the system MAC address, Windows version, IP address,” the researchers said.
The Securonix Threat Research is calling the campaign STARK#MULE and is continuing to monitor its progress.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.