A campaign of ‘malware‘custom linked to Lazarus Group, who used a bogus job offer on the professional platform LinkedIn, has directed its attacks on military institutions and aerospace organizations in order to access confidential information and money of their victims.

The laboratory of ESET He has shared the discovery of a “highly targeted” cyberattack campaign against military institutions and aerospace companies that used counterfeit LinkedIn messages and concealment techniques to avoid being unmasked for the purpose of financial gain and confidential information.

The attacks, called by ESET ‘Operation In (ter) ception’ due to the related ‘malware’ sample named ‘Inception.dll’, were held between September and December last year, as reported in a statement.

The attack started with a message from LinkedIn, a pretty credible job offer, originating from a relevant company in the sector “, as explained by the person responsible for the investigation at ESET, Dominik Breitenbacher. However, it was a fake LinkedIn profile and the attached messages sent during the conversation contained malicious files.

Messages were sent directly via LinkedIn message or email which contained a link to OneDrive. In the case of email messages, the attackers had created email accounts that matched the fake LinkedIn profiles.

Once the victim opened the file, an apparently harmless pdf document With salary information on the false job offer, the ‘malware’ was hidden in the device, thus allowing cybercriminals to enter, as well as persistence in the system.

From then on, attackers used multi-stage custom ‘malware’, which often masquerades as legitimate ‘software’, and modified versions of open source tools. In addition, they took advantage of a tactic known as ‘living off the land’, which is to use Windows tools to develop their malicious operations.

The head of the investigation indicates that the attacks observed “show all the typical signs of a spy campaign and numerous clues that would link them to the infamous Lazarus group.” However, the company has not yet discovered what files the criminals were looking for.

In addition to espionage techniques, ESET researchers have found evidence that criminals were trying to get money from other companies from the compromised accounts. Among the ’emails’ of the victims, communications have been found on unpaid bills between the victim and his clients, in which he urged payment to an account owned by cybercriminals.

“This attempt to monetize the victim’s network access should serve as an example when looking at the need to establish a strong defense against intrusions and to adequately train employees of any organization in cybersecurity. A basic cybersecurity awareness helps workers to know and recognize the tactics used by cybercriminals by minorities, “concludes Breitenbacher.