Full Report
The attacks, which involved fake job offers as a social engineering lure, were likely aimed at stealing proprietary information about drone manufacturing, ESET said in a report. The post North Korea’s Lazarus group attacked three companies involved in drone development appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korea. This advanced persistent threat (APT) group specializes in espionage, sabotage, and financial gain. The specific activity detailed is linked to the **Operation DreamJob** campaign.
## Activity Summary
In late March (last spring), Lazarus targeted three Europe-based companies active in the defense and drone development sectors. The goal was likely to steal proprietary information regarding drone components, manufacturing know-how, and software. The targeted entities included a metal engineering company, an aircraft component manufacturer, and a defense company, some of which supply military equipment currently deployed in Ukraine.
## Tactics, Techniques & Procedures
- **Social Engineering:** Utilized fake job offers for high-profile positions as the initial access vector (Operation DreamJob).
- **Initial Access:** Sent targets a decoy document containing a job description bundled with a trojanized PDF reader.
- **Malware Deployment:** Deployed malware droppers containing a dynamic-link library file named `DroneEXEHijackingloader.dll`, indicating focus on drone technology.
- **Payload:** Deployed the **ScoringMathTea** remote access trojan (RAT), which has been the group's preferred payload since 2022, allowing for complete control of compromised machines.
## Targeting
- **Sectors:** Defense sector, specifically companies involved in drone (UAV) development and manufacturing, metal engineering, and aircraft component manufacturing.
- **Geography:** Europe-based companies. Previous operations mentioned targeting entities in India, Poland, the United Kingdom, and Italy.
- **Victims:** Three unspecified Europe-based companies involved in drone development/defense supply chains.
## Tools & Infrastructure
- **Malware families used:** ScoringMathTea (Primary RAT).
- **Infrastructure (C2, domains, IPs - defang URLs):** Not explicitly detailed in the provided text, beyond referencing ESET publishing binaries and indicators of compromise.
## Implications
The operation demonstrates North Korea's sustained interest in advanced military technologies, specifically Unmanned Aerial Vehicles (UAVs), potentially to bolster their own drone manufacturing programs. The targeting of suppliers providing equipment used in active conflict zones (like Ukraine) suggests intelligence gathering with direct military relevance. The continued use of the "fake job offer" lure highlights the effectiveness and persistence of this predictable social engineering tactic.
## Mitigations
- Implement stringent security around unsolicited job offers or high-profile employment opportunities that request the opening of unexpected documents.
- Enhance endpoint detection and response capabilities, particularly for identifying known Lazarus malware like ScoringMathTea.
- Be vigilant for malware droppers utilizing specific dynamic-link library names like `DroneEXEHijackingloader.dll` if operating within the defense or aerospace sectors.