Dubious man in black suit

Bogus job offers hide trojanised open-source software

Microsoft researchers are warning of fake job offers where the only actual compensation available is a golden handshake of malware and trickery. The campaign targets those with technical know-how because, despite what some may think, scams are for everybody, not just people unfamiliar with tech. With the right tactics and messaging, anyone is a potential target.

A focused target list

The attack targets people working in defence, media careers, aerospace, and IT services. You know, the kind of people who might have access confidential information, sensitive data, journalists, important passwords etc.

The danger here is not simply the initial compromise, but where it can lead. With access to a compromised system attackers have a bridgehead they can use to move into networks, exposing servers, databases, mailboxes, you name it. The starting and ending points for any given attack would be quite different, beginning in one industry and ending in another.

How the attack works

Microsoft attributes the attacks to a state-sponsored group it calls ZINC, which operates from North Korea. This group is all about theft and espionage, so the target list up above makes sense.

The way the attacks work tends to follow a similar pattern:

  1. Bogus LinkedIn profiles claiming to be recruiters in the US, UK, and India, scouting for talent. Potential victims are enticed into applying for non-existent posts at genuine companies.

  2. Victims are sent tampered versions of open-source software, away from LinkedIn. It’s the classic “move the victim away from the potential safety of the starting point” technique. MSFT researchers claim to have seen “at least” five methods of delivering infected applications to would-be job applicants.

  3. Tampered software includes KiTTY and PuTTY, both of which are popular secure shell (SSH) clients used for remote administration of computers. There’s also TightVNC, muPDF/Subliminal Recording, and Sumatra PDF Reader.

  4. The compromised software works in similar, but different ways. In order to avoid detection the software may require certain conditions to be met. For example, MSFT research mentions that weaponised copies of TightVNC Viewer will only install a backdoor when it’s used to connect to particular host.

  5. Infected machines connect to a command and control (C2) server, used to monitor, issue commands, and install additional malware as and when it’s needed.

Bogus jobs: An endless scourge

Fake job offers are a perennial favourite of malware slingers everywhere. Scammers don’t have to guess what would-be job applicants want, so targeting them is easy, and applicants may be more willing to lower their guard, and may be less likely to alert HR or security about suspicious activity.

For example: If someone sends an employee a dubious PDF attachment they have no reason not to report it if they think it might be malicious. On the other hand, if an employee is looking for another job and someone sends them a bogus job offer or interview request, will they want to alert security about it and reveal that they’re thinking of leaving the company?

This is why it’s essential to spot the flaws in job offers which sound too good to be true. As many of these attacks ride the coat-tails of legitimate businesses, the ball is actually in the victim’s court. Find the employment details for the business in question, and approach the organisation directly. If the supposed offer is bogus, you’ll know right away and can safely delete any and all rogue correspondence. Who knows, your enquiring nature may even makes yours a name a theoretical future employer may remember!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.