It is difficult to find a new job, and it is even more difficult to get one that matches your skills, ambitions and work pattern. If you’re in the tech industry, responding to the wrong job ad could see you risking your own safety and the safety of your current employer, thanks to hacked open source apps containing ZetaNile malware. Here’s what you need to know.
Why are job seekers at risk?
The state-sponsored North Korean criminal hacking group, Lazarus, is targeting workers in the technology, defense and media entertainment fields with spear-phishing attacks over LinkedIn.
According to the Microsoft Threat Intelligence Center (MSTIC), the criminals – also known as ZINC – pose as recruiters, reaching out to individuals in targeted sectors and encouraging them to apply for open positions. After a seemingly normal recruitment process, conversations are moved off the platform before recruits are asked to download and install popular open source apps such as the PuTTY SSH client, KiTTY terminal emulator and TightVNC Viewer.
These open source tools are commonly used in the tech world and are widely available for free online, but the versions offered by Lazarus over WhatsApp are hacked to facilitate the delivery of malware.
The apps are distributed as part of a zip archive or ISO file, and do not contain malware themselves. Instead, the executable connects to an IP address specified in an accompanying text file, from which the ZetaNile malware is downloaded and installed.
Lazarus weaponizes the job application at every stage, including the application form itself – applicants are encouraged to complete the form using a subverted version of Sumatra PDF Reader.
What is ZetaNile and what does it do?
Once the backdoor is retrieved from the remote location, a scheduled task is created, which guarantees persistence. It then copies a legitimate Windows system process and loads malicious DLLs before connecting to a command and control domain.
From this point on, an actual human is in control of your machine (unfortunately, it’s not you). They can identify domain controllers and network connections, as well as open documents, take screenshots and exfiltrate your data. The criminals may also install additional malware on the target system.
What should you do if you suspect you have ZetaNile malware?
The individual job seeker is unlikely to be aware that they have installed malware on their corporate network, but MSTIC has provided some useful instructions for the system administrators and security teams left to pick up the pieces:
- Check for the existence of Amazon-KiTTY.exe, Amazon_IT_Assessment.iso, IT_Assessment.iso, amazon_assessment_test.isoor SecurePDF.exe on computers.
- Remote C:\ProgramData\Comms\colorui.dll and %APPDATA%\KiTTY\mscoree.dll files.
- Block network access to 172.93.201[.]253, 137.184.15[.]189and 44.238.74[.]84. These IPs are hardcoded into the malware.
- Review all authentication activity for remote access infrastructure.
- Enable multi-factor authentication for all systems.
- Educate users about preventing malware infections and protecting personal and business information.
This last element is particularly telling, and the aphorism that the weakest link in the security supply chain is the user rings true with good reason. Any software problem or security hole can be fixed, but it’s hard to stop the person behind the keyboard from installing dodgy packages—especially if they’re tempted by a new, well-paying job.
For users tempted to install sketchy software on their work computer: just don’t. Instead, ask IT to do it for you (they will warn you if something is wrong), or if you absolutely must, download from the official source.
Criminals are always looking for a way into networks
Trade secrets are valuable, and there are always people and groups looking for an easy way to get hold of them. By targeting job seekers, they can almost guarantee that the first victim will not involve IT – no one wants to be seen applying for new jobs from their work computer. If you use your employer’s equipment, you should only use it for work. Save the job search for when you get home.