Infamous North Korean threat actor Lazarus Group has been spotted attempting to lure blockchain developers with fake job offers laden with malware.
Cybersecurity researchers from Malwarebytes have discovered a new campaign in which Lazarus assumes the identity (opens in new tab) of Coinbase, one of the world’s biggest and most popular cryptocurrency exchanges.
The criminals then reach out to blockchain developers with a job offer for the role of “Engineering Manager, Product Security”, and even conduct a few interviews, to make the whole campaign more believable. At one point, however, the attackers will share a file, seemingly a PDF, with details on the alleged job position. The only thing this file has with a PDF is the icon, however, as it’s, in fact, an executable – Coinbase_online_careers_2022_07.exe. Besides the .exe, the threat actor will also deploy a malicious DLL.
Fake job offers galore
These files will then connect to GitHub, which servers as a command & control (C2) server, which shares further instructions on how to best infect the endpoint.
The “fake job offer” type of attack is nothing new. In fact, the biggest crypto theft of all time, a $600 million-heavy attack on the Ronin bridge, happened in the same manner. One of Ronin’s developers was approached, via LinkedIn, by someone pretending to be a headhunter looking for quality developers.
One thing led to another, and the victim ended up downloading a weaponized PDF file which eventually gave the attackers the keys to Ronin’s kingdom.
The FBI pointed its finger to Lazarus Group for this attack, as well. Regardless of if it ends up being true or not, this threat actor is by no means a stranger to fake job offers. The group has already used General Dynamics and Lockheed Martin for the same purpose.
Lazarus usually attacks banks, cryptocurrency exchanges, NFT marketplaces, and sometimes people known for holding a heavy bag of cryptocurrencies.
Via: Bleeping Computer (opens in new tab)