As reported by ZDNet, researchers with McAfee have released further analyses of a campaign dubbed “Operation North Star” that detail the tools used by this hacking group. While the previously known Tactics, Techniques and Procedures (TTPs) of spear-phishing emails and LinkedIn messages posing as job recruiters are unchanged, McAfee has uncovered more TTPs with regards to the threat group’s methods of compromise after the initial malicious attachment has been opened.
This hacking group first deploys a basic host profiling software, which steals host information such as disk information, free space, computer name, etc. Next, an implant known as Torisma is installed, which is used for credential theft and Remote Desktop Protocol (RDP) session theft. McAfee also noted that some of the TTPs used by this group, such as their lures and campaign targets, are very similar to the TTPs used by Lazarus Group, a North Korean APT.
As the initial lure for many of these attacks were from fake recruiting emails, unless you are actively seeking new employment, Binary Defense does not recommend opening recruitment emails from unknown sources. In addition to APT teams using recruitment emails as lures, more common malicious email such as Emotet or Qakbot have also been observed using these emails as lures. Additionally, Binary Defense recommends the use of a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force, so that analysts can identify and remediate malicious activity, even if it happens outside of normal operating hours.