A group of hackers suspected to be from North Korea has been identified targeting media organizations and security researchers in Europe and the US. The attackers have been using fake job offers to lure their victims, initially on LinkedIn before moving to WhatsApp, where they send Word documents containing malicious macros. The macros fetch a trojanized version of TightVNC from compromised WordPress sites, enabling the attackers to execute arbitrary code on the targeted device.
The North Korean hackers have been observed to use new, custom malware, including LidShift, TouchShift, SideShow, and HookShot, which have not been associated with any known threat group. The attackers use these to establish a foothold in the target’s corporate environment and evade detection. The attackers also exploited a zero-day flaw in an ASUS driver to evade detection by endpoint detection and response (EDR) software.
The group responsible for the campaign is tracked as UNC2970 by Mandiant, which has been monitoring the campaign since June 2022.