Security researchers at AT&T Alien Labs report that a notorious hacking group has been targeting engineers working in the defence industry.

In recent months there have been a series of reports of malicious emails that use the disguise of a job offer to target defence contractors in the United States and Europe.

Attached to the emails are Word documents containing macros that plant malicious code onto a victim’s computer, and make changes to the targeted computer’s settings in an attempt to avoid detection.

According to security researchers, the attacks carry the hallmarks of being the work of the notorious Lazarus Group, a North Korean-linked hacking gang that has been blamed for the 2014 attack on Sony Pictures, and the theft of $81 million from the Bank of Bangladesh in 2016, amongst other attacks.

Since May, emails believed to have been sent by the Lazarus Group have targeted victims by posing as engineering opportunities from the likes of Airbus, General Motors, and military contractor Rheinmetall.

Microsoft Office correctly warns the recipient upon opening the poisoned document that it has disabled macro content, but because the email pretends to offer a career opportunity the attackers are banking on recipients overriding the security warning, and allowing the malicious code to execute.

Sometimes the poisoned documents even have the gall to claim that they are “protected” – as if in an attempt to reassure the recipient that the job offer communication is private – in an attempt to trick a user into feeling comfortable enabling the dangerous macro content.

Previous malware campaigns have attempted to trick victims with job opportunities at Boeing and BAE systems.

The security researchers report that the Lazarus Group have refined their attacks over time, making changes to their attacks in an attempt to avoid detection. Many of the attacks (Read more...)