Lazarus Malware Targets Tech Jobseekers: Here’s What You Need to Know
Finding a new job is hard, and it’s even trickier to get one which suits your skillset, your ambitions, and your work pattern. If you’re in the tech industry, replying to the wrong job advert can see you risking your own security and that of your current employers, thanks to hacked open source apps carrying ZetaNile malware. Here’s what you need to know.
Why Are Jobseekers at Risk?
State sponsored North Korean criminal hacking group, Lazarus, is targeting workers in the technology, defense, and media entertainment areaswith spear phishing attacksover LinkedIn.
According toMicrosoft Threat Intelligence Center(MSTIC), the criminals—also known as ZINC—pose as recruiters, reaching out to individuals in targeted sectors, and encouraging them to apply for open positions. After a seemingly normal recruiting process, conversations are moved off the platform before recruits are asked to download and install popular open source apps such as thePuTTY SSH client, the KiTTY terminal emulator, and TightVNC Viewer.
These open source tools are commonly used in the tech world, and are widely available online free of charge, but the versions offered by Lazarus over WhatsApp are hacked to facilitate delivery of malware.
The apps are distributed as part of azip archiveor ISO file, and do not themselves contain the malware. Instead, the executable connects to an IP address specified in an accompanying text file, from where the ZetaNile malware is downloaded and installed.
Lazarus weaponizes the job application at every stage, including the application form itself—applicants are encouraged to fill in the form using a subverted version of Sumatra PDF Reader.
What Is ZetaNile and What Does It Do?
Once the backdoor has been retrieved from its remote location, a scheduled task is created, guaranteeing persistence. It then copies a legitimate Windows system process, and loads malicious DLLs before connecting to a Command and Control domain.
From this point, an actual human is in control of your machine (sadly, it isn’t you). They can identify domain controllers and network connections, as well as open documents, take screenshots, and exfiltrate your data. The criminals can install additional malware on the target system too.
What Should You Do if You Suspect You’ve ZetaNile Malware?
The individual jobseeker is unlikely to be aware they have installed malware on their corporate network, but MSTIC has provided some handy instructions for the system admins and security teams who are left to pick up the pieces:
This last item is especially telling, and the aphorism that the weakest link in the security supply chain is the user, is true for good reason. Any software problem or security hole can be fixed, but it’s difficult to stop the person behind the keyboard from installing dodgy packages—especially if they’re tempted by a new, well-paid job.
For users who are tempted to install sketchy software on your work computer: simply don’t. Instead, ask IT to do it for you (they’ll warn you if something is amiss), or if you absolutely must, then download from the official source.
Criminals Are Always Looking for a Way Into Networks
Corporate secrets are valuable, and there are always people and groups looking for an easy way to get hold of them. By targeting jobseekers, they can almost guarantee that the initial victim won’t get IT involved—no one wants to be seen applying for new jobs from their work computer. If you’re using your employers' equipment, you should only use it for work. Save the jobseeking for when you get home.
Want to set up a job search profile in Google Chrome that will help you find the best opportunities? Here are some tips on how to do it.
One casual AI chat exposed how vulnerable I was.
If an AI can roast you, it can also prep you for emergencies.
The fix was buried in one tiny toggle.
Windows is great, but adding this makes it unstoppable.
It saves me hours and keeps my sanity intact.
