Beware of these fake “Amazon” job offers!

geekzillosm have you received job offers that are too good to be true? Be careful! It could be a scam, just like those fake Amazon job offers we are going to tell you about.

amazon fake job

The campaign began with spear-phishing emails containing malicious material and using Amazon’s image. The emails identified were addressed to an employee of an aerospace company in the Netherlands and to a political journalist in Belgium.

The main goal of the attackers was data exfiltration. Lazarus (also known as HIDDEN COBRA) is an APT group that has been active since at least 2009. It is responsible for attacks on high-profile companies, including the theft of tens of millions of dollars in 2016, as well as the ransomware outbreak. WannaCryptor (also known as WannaCry) in 2017 and a long history of disruptive attacks on critical and public infrastructure in South Korea since at least 2011.

In both cases, the contact began with job offers: the employee in the Netherlands received an attachment via LinkedIn Messaging and the person in Belgium received a document via email. The attacks started after these documents were opened and various malicious tools were deployed on each system.

amazon fake job
Figure 1. Document with Amazon logo sent to targeted target in the Netherlands

attacker’s tools

The most interesting tool the attackers used was a user-mode module that allowed them to read and write to kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first recorded instance of this vulnerability being exploited in a campaign. The attackers then used their write access to kernel memory to disable seven mechanisms offered by the Windows operating system to monitor its actions, such as registry, file system, process creation, event tracking , etc., essentially blinding security solutions in a robust way. .

“We attribute these attacks to Lazarus with high confidence from the specific modules, code signing certificate and intrusion approach in common with previous Lazarus campaigns, such as Operation In(ter)ception Yes Operation DreamJob. The diversity, numbers and eccentricity in carrying out the Lazarus campaigns define this group, as well as the fact that it exercises the three pillars of cybercriminal activities: cyber espionage, cyber sabotage and the pursuit of financial gain.

Peter Kálnai, Senior Malware Researcher at ESET.

We recommend: ESET reports on the attack on Uber and investigates what happened

This research was presented at this year’s Virus Bulletin conference. Due to its originality, the main focus of the presentation was on the malicious component used in this attack which uses the Bring Your Own Vulnerable Driver (BYOVD) technique and exploits the CVE-2021-21551 vulnerability mentioned above. More detailed information is available in the whitepaper Lazarus & BYOVD: Evil to the Windows core.

Undoubtedly, the team behind the attack is quite large, systematically organized and well-prepared. It is therefore better to be prepared for any cyberthreat! Remember not to fall for a job offer that is too good to be true, it is surely false, as in the case of Amazon.

Leave a Comment

Your email address will not be published. Required fields are marked *