North Korea’s Lazarus cybercrime gang is now breaking into chemical sector companies’ networks to spy on them, according to Symantec’s threat intel team.
While the Korean crew’s recent, and highly profitable, thefts of cryptocurrency have been in the headlines, the group still keeps its spying hand in. Fresh evidence has been found linking a recent espionage campaign against South Korean targets to file hashes, file names, and tools previously used by Lazarus, according to Symantec.
The security shop says the spy operation is likely a continuation of the state-sponsored snoops’ Operation Dream Job, which started back in August 2020. This scheme involved using phony job offers to trick job seekers into clicking on links or opening malicious attachments, which then allowed the criminals to install spyware on the victims’ computers.
ClearSky and AT&T security researchers documented Dream Job campaigns targeting defense, government, and engineering organizations in 2020 and 2021. And earlier this year, Qualys security researchers documented a similar scam targeting Lockheed Martin job applicants.
Symantec’s threat hunting team says Lazarus’ more-recent focus on chemical companies began in January, when the security firm detected network activity on “a number of organizations based in South Korea.”
In this case, the attacks usually begin with the victim receiving a malicious HTML file, which is somehow copied to a DLL file called scskapplink.dll that is used to compromise an application on the system.
“The DLL file gets injected into INISAFE Web EX Client, which is legitimate system management software.