Lazarus has been tied to a new campaign attacking hopeful job applicants in the defense industry. 

Recommends

The best ethical hacking certifications

Becoming a certified ethical hacker can lead to a rewarding career. Here are our recommendations for the top certifications.

Read now

The advanced persistent threat (APT) group has been impersonating Lockheed Martin in the latest operation. The Bethesda, Maryland-based company is involved in aeronautics, military technology, mission systems,andspace exploration. 

Lockheed Martin generated$65.4 billion in sales in 2020 and has approximately 114,000 employees worldwide. 

Lazarus is a state-sponsored hacking group with ties to North Korea. The prolific and sophisticated group is generally financially-motivated and is believed to be responsible for serious attacks in the past, beginning with the WannaCry ransomware outbreak, as well as the$80 million heist against Bangladeshi Bank, assaults against freight companies, and South Korean supply chains. 

On February 8, Qualys Senior Engineer of Threat Research Akshat Pradhan revealed a new campaign using Lockheed Martin's name to attack job applicants. 

In a similar way to past activities that abused the reputation of Northrop Grumman and BAE Systems, Lazarus is sending targets phishing documents pretending to offer employment opportunities. 

Also: Arid Viper hackers strike Palestine with political lures and Trojans

The documents, namedLockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc, contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents, and create Scheduled tasks for persistence. 

Living Off the Land Binaries (LOLBins) is also abused to further the compromise of the target machine. However, when the malicious scripts attempted to pull in a further payload, an error was returned -- and so Qualys can't be sure what the final malware package was meant to achieve. 

"We attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other vendors," Pradhan says. 

This isn't the first time Lazarus has exploited job candidates or vacancies. F-Secure has previously found samples of phishing emails, masquerading as job offers, that were sent to a system administrator belonging to a targeted cryptocurrency organization.

In related research, Outpost24's Blueliv cybersecurity team has named Lazarus, Cobalt, and FIN7 as the most prevalent threat groups targeting the financial industry today.

Update 14.11GMT: A Lockheed Martin spokesperson toldZDNet:

"While we don't discuss specific threats or responses, we have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems and data security."

The company also has a dedicated fraud resource on its website. 

See also

• Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry
  
• Lazarus hacking group now hides payloads in BMP image files
  
• Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
  

---

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0

---

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next