To Target Security Firms, North Korean Hackers Pose as Samsung Recruiters

The North Korean state-sponsored hackers group posed as Samsung recruiters to target their employees with fake job offers at South Korean security companies that sell anti-malware software and security solutions.

According to reports, this state-sponsored North Korean hacking group has been identified as “Zinc,” also known as Lazarus. This hacking group is well-known for targeting security researchers in previous campaigns.

In the emails sent to the security researchers with fake job offers, a malicious PDF claims to be job information for a position at Samsung. The hackers have malformed the malicious PDF to not open in a standard PDF reader when the victim tries to open it.

When the victim cannot open the job offer PDF, they file a complaint, and hackers respond by sending them a link to a secure PDF reader application. Because Google Drive offers PDFTron, a secure PDF reader app, Google claims that the PDFTron package provided by the hackers was a modified version of PDFTron, as it was changed to install a backdoor trojan on the victims’ systems.

According to Google TAG (Threat Analysis Group), all of these attacks were attributed to the North Korean hacker group Zinc APT, which also targeted security researchers on Twitter and other social media platforms in late 2020 and early 2021.