“Operation North Star” Is Targeting the American Aerospace and Defense Industry

  • North Korean hackers are still targeting high-ranking engineers who work in the American Defense industry.
  • People are tricked into opening a macro-ridden document that plants spyware on their system.
  • The actors are then masking the outgoing network communications to avoid raising suspicions.

North Korean hackers continue to target key entities in the American defense and aerospace sectors, basing their methods on the same trick of “fake job postings.” This is a method that was reported by ESET researchers last month, attributing “Operation In(ter)ception” to the “Lazarus Group,” and also the same thing that North Korean hackers did during the 2019 Redbanc attack.

So, it’s clear that even though the particular method of cyber-attack has been exposed multiple times, it still works like a charm, and so North Korean hackers are sticking with it.

McAfee reports on the 2020 campaign, which they call “Operation North Star.” It begins with the sending of malicious documents that supposedly contain job offer details. The document contains malicious macros which create an LNK file in the startup folder, replace the “sqlite.dll” for side-loading purposes, and then drop some kind of a payload.

Usually, this is spyware that collects information from the victim’s computer and sends it to the C2 server that is controlled by the North Korean hackers. The recipient of the document is convinced to “enable content” in their MS Office suite because they are hoping that they’ll get a lucrative job opportunity, which is admittedly a very compelling factor

operation diagram
Source: McAfee

The researchers of McAfee analyzed different versions of these documents and figured that they were all created in Word 2016 with English and Korean installed. The actors used an XML code file as a template, and it seems that there are many different authors involved in the process. From there, the VBA and the DLL implants remained largely unchanged.

As for the communication with the C2, the malware abuses the “Windows API ObtainUserAgentString” to get the User-Agent and mask the outgoing network traffic as innocuousness through mimicry.

infection process
Source: McAfee

McAfee says they recorded at least nine individual campaign IDs since the start of the year, while some of the identified subdomains that supported the operations are:

  • saemaeul.mireene.com
  • orblog.mireene.com
  • sgmedia.mireene.com
  • vnext.mireene.com
  • nhpurumy.mireene.com
  • jmable.mireene.com
  • jmdesign.mireene.com
  • all200.mireene.com

agent
Source: McAfee

By analyzing the “North Star” victimological data, the researchers figured that the hackers were going after Senior Design Engineers and System Engineers working on the following sectors of the US Defense industry:

  • F-22 Fighter Jet Program
  • Defense, Space, and Security (DSS)
  • Photovoltaics for space solar cells
  • Aeronautics Integrated Fighter Group
  • Military aircraft modernization programs

In conclusion, professionals should be cautious with how they treat their LinkedIn communications. If you are offered a job, there’s really no reason to accept opening a document that supposedly contains the details.

Even then, information around salary and job tasks shouldn’t need macros to manifest. If you still think this is a legit job offer, just ask for an alternative method of conveying this information.

REVIEW OVERVIEW

Recent Articles

Brandon Hoffman, NetEnrich: AI Is No Replacement for People in Cybersec

NetEnrich is a Silicon Valley company that does its best to help other companies protect themselves from outside threats and more. For a few...

How to Protect Yourself From VPN Data Breaches

VPNs or Virtual Private Networks offer us one of the strongest forms of online security possible. The encrypted tunnel that your data is wrapped...

5 Best Kodi Repositories in 2020 – Your Gateway to Hundreds of High-Quality Kodi Addons!

Here's our overview of the best Kodi repositories in 2020. Official Kodi Repository TVAddons Repository BludhavenGrayson Repository Mhancoc7 Repository Marcelveldt Repository By using repositories, you...