As reported by ZDNet, researchers with McAfee have released further analyses of a campaign dubbed “Operation North Star” that detail the tools used by this hacking group. While the previously known Tactics, Techniques and Procedures (TTPs) of spear-phishing emails and LinkedIn messages posing as job recruiters are unchanged, McAfee has uncovered more TTPs with regards to the threat group’s methods of compromise after the initial malicious attachment has been opened.
This hacking group first deploys a basic host profiling software, which steals host information such as disk information, free space, computer name, etc. Next, an implant known as Torisma is installed, which is used for credential theft and Remote Desktop Protocol (RDP) session theft. McAfee also noted that some of the TTPs used by this group, such as their lures and campaign targets, are very similar to the TTPs used by Lazarus Group, a North Korean APT.