North Korean Threat Actor Targets Financial Sector in the Nordics

Truesec has observed a campaign against people in the financial sector in the Nordics by the North Korean state-sponsored group known as “Lazarus”. The attack begins with a fake message on LinkedIn that claims to be an invitation to apply for a lucrative job in a large U.S. financial and asset management company. If the victim accepts the offer they will be prompted to take action that leads to them getting infected with a remote access trojan dubbed “BeaverTail”.[1]

BeaverTail contains functionality that will automatically search the victim’s machine for crypto currency related data, but can also be used as a remote access tool for further attacks. Truesec will publish additional information as soon as we have finished our investigation, but it appears that the attack follows a similar attack chain as that described by researchers from Sentinel One.[2]

Recommendation

Organizations in the financial sector in the Nordics are recommended to warn their personnel about this campaign and encourage them to report suspicious direct messages on LinkedIn.

References

[1] Truesec CSIRT
[2] https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/