New Lazarus Group Campaign Targets EU Defense Companies

ESET researchers have uncovered a new portion of the broad cyberespionage campaign called Operation DreamJob that targeted several European companies within the defense industry, with a particular focus on the UAV/drone sector. The campaign, which was attributed to the North Korea-aligned Lazarus group, suggests a potential link to that country's ongoing efforts to boost its domestic drone program.

The primary payload deployed in these attacks was ScoringMathTea, a RAT that has been in use since at least 2022 and gives attackers full control over compromised systems. The suspected objective of the Lazarus group was the exfiltration of proprietary information and manufacturing expertise, particularly pertaining to UAV technology. 

The attacks successfully compromised three defense companies in Central and Southeastern Europe. Initial access was primarily gained through social engineering tactics, where targets received deceptive, yet lucrative, job offers. These offers were accompanied by malware-laden decoy documents and trojanized PDF readers. ScoringMathTea has been deployed in other DPRK-attributed campaigns and gives the attackers a range of capabilities. 

“Its first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its dropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server. The current version does not show any dramatic changes in its feature set or its command parsing. So the payload is probably receiving continuous, rather minor improvements and bug fixes,” ESET said in its analysis of the operation. 

ESET Research said it attributes these activities to the Lazarus group with high confidence, saying that the methodologies closely align with previous Operation DreamJob campaigns and the targeting of sectors (aerospace, defense, engineering) that jibe with the group's historical targeting.

The Lazarus Group, also known as HIDDEN COBRA, is a mature APT group linked to North Korea, that has been active since at least 2009 and is believed to be responsible for a wide range of high-profile intrusions and attacks, including WannaCry.

"We believe that it is likely that Operation DreamJob was – at least partially – aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The drone mention observed in one of the droppers significantly reinforces this hypothesis," said ESET researcher Peter Kálnai, who led the analysis of these attacks.

The timing of these attacks coincides with reports of North Korean soldiers being deployed in Russia, potentially assisting in the conflict in Ukraine. This raises the possibility that Operation DreamJob was designed to acquire sensitive information on Western-made weapons systems used in the Russia-Ukraine war. Also, the targeted organizations manufacture materials that North Korea manufactures domestically, suggesting an interest in perfecting its own designs and processes.

"We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” said Alexis Rapin, ESET cyberthreat analyst.

The Lazarus Group, also known as HIDDEN COBRA, is a mature APT group linked to North Korea, that has been active since at least 2009 and is believed to be responsible for a wide range of high-profile intrusions and attacks, including WannaCry. The group is notorious for its diverse cybercriminal activities, comprising cyberespionage, sabotage, and theft. Operation DreamJob is an overarching name for Lazarus campaigns that leverage social engineering through fake job offers, primarily targeting the aerospace, defense, engineering, and media sectors.

Other research teams have disclosed separate portions of North Korean job-related malware and cyberespionage campaigns in the last few years, including widespread efforts by the country’s government to place North Korean workers inside U.S. technology and manufacturing companies. The U.S. government has also tracked these companies closely for many years.