According to the inaugural edition of Google’s new Threat Horizons report, North Korean state-sponsored hackers pretended to be Samsung recruiters and issued fraudulent job offers to the staff at South Korean security businesses that market anti-malware software.
According to Google, the emails included a PDF that purported to be a job description for a position at Samsung:
“The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader,” Google said.
If the targets reported that they couldn’t access the job offer archive, the hackers promised to assist them by providing a link to a “Secure PDF Reader” program that they could download. But Google claims that this malware was a modified version of PDFTron, a genuine PDF reader, that was changed to install a backdoor trojan on the victims’ machines.
According to the Google Threat Analysis Group, the attacks were ascribed to the same team of North Korean hackers that previously attacked security researchers on Twitter and other social networks in late 2020 and into 2021. This Google security team discovered the malicious emails.
The threat actor’s methods have baffled the security community, which believes the organization sought to get disclosed vulnerabilities and exploits from some of its naive and negligent members, as tracked by Microsoft under the pseudonym “Zinc.”
The attack against South Korean antivirus producers, on the other hand, might be different since compromising their personnel could give the gang access to the tools to launch a targeted supply chain attack against South Korean enterprises who use their anti-malware software.