Not a dream job: Hunting for malicious job offers from an APT

2022-11-03 • Virustotal •

https://blog.virustotal.com/2022/11/not-dream-job-hunting-for-malicious-job.html

#DreamJob #UNC4034 #PuTTY

Thumbnail for Not a dream job: Hunting for malicious job offers from an APT

VirusTotal expanded on Mandiant’s reporting about UNC4034, activity assessed as likely related to a North Korean actor and possibly an extension of Operation Dream Job. The campaign used job-offer social engineering, beginning with an Amazon-themed email and continuing through WhatsApp Web, where the attacker shared malicious ISO files as part of a fake assessment process. VirusTotal pivoted from known ISO hashes and filenames such as amazon_test.iso and Amazon_Assessment.iso to find additional samples with similar two-file structures: a poisoned PuTTY-like executable and Readme.txt. The hunting methodology used ISO filenames, volume names, metadata, and VirusTotal relationships to identify related Dell, IBM, SA, and IT assessment-themed lures.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	52ec2098ed37d4734a34baa66eb79ec…	2022-11-03	2022-11-03
HASH	6af9af8aa0d8d4416c75e0e3f7a20df…	2022-11-03	2022-11-03
HASH	dc20873b80f5cd3cf221ad5738f4113…	2022-11-03	2022-11-03
HASH	455a7ebf67aec7b4d6cc18ed930bde4…	2022-11-03	2022-11-03
HASH	3818527bc78efcece9d9bc87d77efa9…	2022-11-03	2022-11-03
HASH	75771b5c57bc7f0d233839a610fa7a5…	2022-11-03	2022-11-03
HASH	cd8e12cddfe71b89597b6621d538b63…	2022-11-03	2022-11-03
HASH	ccdb436a5941ba47a8b7e110021ad98…	2022-11-03	2022-11-03
IPv4	143.244.186.68	2022-11-03	2022-11-03
IPv4	147.182.237.105	2022-11-03	2022-11-03
IPv4	3.137.98.129	2022-11-03	2022-11-03
HASH	14f736b7df6a35c29eaed82a47fc0a2…	2022-09-29	2022-11-03
HASH	37e30dc2faaabaf93f0539ffbde0324…	2022-09-29	2022-11-03
IPv4	44.238.74.84	2022-09-29	2022-11-03
HASH	8cc60b628bded497b11dbc04facc7b5…	2022-09-14	2022-11-03
HASH	e03da0530a961a784fbba93154e9258…	2022-09-14	2022-11-03
HASH	cf22964951352c62d553b228cf4d2d9…	2022-09-14	2022-11-03
IPv4	137.184.15.189	2022-09-14	2022-11-03
IPv4	172.93.201.253	2022-04-26	2022-11-03

Related Actors

UNC4034

Mandiant

TEMP.Hermit

First seen: Sep 2022

Last seen: Nov 2022

Related Reports

2022-09-14 • 64% Match

It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

Mandiant

#UNC4034 #PuTTY #T1059.003 #T1071.001 #T1566.003 #T1566.001 #T1053.005 #T1132.001 #T1620 #T1573.001 #T1218 #T1573.002 #T1071.002 #T1574.001 #T1055.001

Shares tags: UNC4034, PuTTY • Shares 4 IOCs

2023-01-05 • 23% Match

Emulating the Highly Sophisticated North Korean Adversary Lazarus Group

Attack IQ

#Trend #DreamJob #Inception #MagicRAT #ThreatNeedle #Sharpshooter #T1082 #T1041 #T1071.001 #T1046 #T1112 #T1083 #T1057 #T1547.001 #T1053.005 #T1036.005 #T1003 #T1105 #T1055 #T1220 #T1049 #T1016 #T1074.001 #T1218.011 #T1218.010 #T1047 #T1025 #T1033 #T1543.003 #T1012 #T1007 #T1572 #T1552.002 #T1003.002 #T1048.001

Shares tag: DreamJob

2022-09-07 • 23% Match

S/2022/668 Midterm report of the Panel of Experts

UN

#DreamJob #Kimsuky #Sanctions #Bluenoroff #NukeSped #Stonefly #VHD

Shares tag: DreamJob

2022-08-11 • 23% Match

Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering

PWC

#DreamJob #Inception #BlackArtemis #BlackAlicanto

Shares tag: DreamJob

2022-09-29 • 20% Match

ZINC weaponizing open-source software

Microsoft

#Zinc

Shares 5 IOCs

2023-04-20 • 18% Match

Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack

ESET

#DreamJob #YARA #3CXDesktopApp #SmoothOperator #T1090 #T1140 #T1585.003 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1132.001 #T1573.001 #T1497.003 #T1593.001 #T1584.001 #T1134.002 #T1027.009 #T1562.003 #T1546.004

Shares tag: DreamJob

« Back