Not a dream job: Hunting for malicious job offers from an APT
Contents
Tldr: A recent Mandiant’s blog described a series of targeted attacks over Whatsapp by an APT cluster named UNC4034. We found several additional cases in VirusTotal which we believe with high confidence are related to the same activity set.
According to the original publication, this activity is most likely related to North Korean actor and could be an extension of Operation “Dream Job”, leveraging targeted distribution of malicious ISO files. Based on Mandiant’s research, in the first stage the attacker sends a job offer at Amazon to the victim by email, followed by a WhatsApp web message where the attacker shares a malicious ISO file, pretending to be part of the selection process.
The original publication provides 2 hashes of ISO files named amazon_test.iso and amazon_assessment.iso respectively. Unfortunately, only the first one was found in VirusTotal:
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
Hunting for more samples
We started by trying to find the ISO we were missing in VirusTotal by …
According to the original publication, this activity is most likely related to North Korean actor and could be an extension of Operation “Dream Job”, leveraging targeted distribution of malicious ISO files. Based on Mandiant’s research, in the first stage the attacker sends a job offer at Amazon to the victim by email, followed by a WhatsApp web message where the attacker shares a malicious ISO file, pretending to be part of the selection process.
The original publication provides 2 hashes of ISO files named amazon_test.iso and amazon_assessment.iso respectively. Unfortunately, only the first one was found in VirusTotal:
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
Hunting for more samples
We started by trying to find the ISO we were missing in VirusTotal by …
IoC
137.184.15.189
143.244.186.68
147.182.237.105
14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745
172.93.201.253
3.137.98.129
37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3
44.238.74.84
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374
52ec2098ed37d4734a34baa66eb79ec21548b42b9ccb52820fca529724be9d54
6af9af8aa0d8d4416c75e0e3f7a20dfe8af345fb5c5a82d79e004a54f1b670dc
75771b5c57bc7f0d233839a610fa7a527e40dc51b2ec8cbda91fab3b4faa977f
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5
cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
143.244.186.68
147.182.237.105
14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745
172.93.201.253
3.137.98.129
37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3
44.238.74.84
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374
52ec2098ed37d4734a34baa66eb79ec21548b42b9ccb52820fca529724be9d54
6af9af8aa0d8d4416c75e0e3f7a20dfe8af345fb5c5a82d79e004a54f1b670dc
75771b5c57bc7f0d233839a610fa7a527e40dc51b2ec8cbda91fab3b4faa977f
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5
cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0