Security News > 2020 > November > North Korean Hackers Used 'Torisma' Spyware in Job Offers-based Attacks

North Korean Hackers Used 'Torisma' Spyware in Job Offers-based Attacks
2020-11-05 23:23

The attacks, which targeted IP-addresses belonging to internet service providers in Australia, Israel, Russia, and defense contractors based in Russia and India, involved a previously undiscovered spyware tool called Torisma to stealthily monitor its victims for continued exploitation.

Tracked under the codename of "Operation North Star" by McAfee researchers, initial findings into the campaign in July revealed the use of social media sites, spear-phishing, and weaponized documents with fake job offers to trick employees working in the defense sector to gain a foothold on their organizations' networks.

The attacks have been attributed to infrastructure and TTPs previously associated with Hidden Cobra - an umbrella term used by the US government to describe all North Korean state-sponsored hacking groups.

The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons program by perpetrating malicious attacks on US defense and aerospace contractors.

Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy - an auction house, a printing company, and an IT training firm - to host their command-and-control capabilities.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/oKLVmW4FIpI/north-korean-hackers-used-torisma.html