North Korean hacking group targeting European drone maker with ScoringMathTea malware

One of the most prolific hacking groups in North Korea has targeted at least three European companies manufacturing drones and other military equipment. 

Researchers at ESET said they found evidence of a new tentacle of the long-running Operation DreamJob campaign — where North Korea’s Lazarus group sends malware-laden emails purporting to be from recruiters at top companies. 

ESET researcher Peter Kálnai, who discovered the campaign, said the recent attacks were aimed at stealing proprietary information and manufacturing know-how regarding unmanned aerial vehicles. At least one of the malicious emails tracked by ESET explicitly mentioned drones, he added. 

“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line,” ESET cyberthreat analyst Alexis Rapin explained.

“This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing.”

The emails seen by ESET came with PDFs describing lucrative, but fake, job offers. The malware attached to the PDFs is called ScoringMathTea, a strain that allows attackers to take over infected machines and steal information. 

ESET said the companies attacked are active in the defense sector in Central and Southeastern Europe. Each company manufactures different types of military equipment or parts — much of which is being used in Ukraine thanks to military assistance from other European countries. 

ESET noted that the emails came right as North Korean soldiers were being deployed in Russia on the frontlines of the country’s war with Ukraine. The company’s researchers theorized that North Korea either wanted the information on drones both to help its soldiers in Russia and to assist in its own domestic manufacturing of unmanned aerial vehicles. 

Last week, the General Staff of Ukraine released a statement claiming it saw North Korean troops in the Russian city of Kursk using reconnaissance drones to find Ukrainian military positions. 

“The Defense Forces of Ukraine have intercepted communications between North Korean drone operators and personnel of the Russian army. North Korean UAV operators adjusted the fire of multiple launch rocket systems against Ukrainian positions,” the statement said. 

The researchers traced the use of the ScoringMathTea malware back to October 2022, when it was used in attacks on organizations in Portugal and Germany as part of fake job offer emails purporting to be from French company Airbus. 

It provides attackers with troves of information about a victim’s system and provides a gateway for threat actors to take further actions. 

ESET previously tracked compromises involving ScoringMathTea at companies in India, Poland, the U.K. and most recently Italy. The malware appears to be a hallmark of the Operation DreamJob campaign, the researchers said. 

“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” Kálnai said. 

Threat researchers at several companies have been tracking the Operation DreamJob campaign since 2020. Google warned in 2022 that 250 people working for 10 different news media, domain registrars, web hosting providers and software vendors were targeted by the campaign, receiving malicious emails from fake recruiters claiming to be from Disney, Google and Oracle. 

The emails contained spoofed links to legitimate job sites like Indeed and ZipRecruiter. 

The Lazarus Group is North Korea’s flagship hacking operation and has been accused of stealing billions in cryptocurrency from blockchain platforms while also facilitating the country’s longstanding IT worker scheme which has siphoned millions from U.S. companies.