Notorious North Korean threat actor Lazarus Group caught trying to use fake jobs Opportunity to lure blockchain developers with malware.
Cybersecurity researchers from Malwarebytes discovered a new campaign in which Lazarus assumed an identity
of Coinbase, one of the largest and most popular cryptocurrency exchanges in the world.
The criminals then offered blockchain developers job offers for “engineering manager, product safety” positions, and even conducted few interviews to make the whole campaign more credible. At one point, however, the attackers shared what appeared to be a PDF file containing details about the alleged job title. The only thing this file has with the PDF is the icon, however, because it is actually an executable file – Coinbase_online_careers_2022_07.exe. In addition to the .exe, the threat actor also deploys a malicious DLL.
Fake job o provide rich
These files will then be connected to GitHub, which serves as the command and Control (C2) server, sharing further instructions on how to best infect endpoints.
“Fake job offer” type attacks are nothing new. In fact, the largest cryptocurrency theft of all time, the $600 million devastation of the Ronin Bridge, happened in the same way. One of Ronin’s developers contacted via LinkedIn, someone pretending to be a headhunter looking for quality developers.
One thing led to another, the victim ended up downloading a weaponized PDF that ended up giving the attackers the keys to the kingdom of Ronin.
The FBI also pointed the finger at the Lazarus Group for the attack. Whether it ends up being true or not, this threat actor is no stranger to fake job offers. The group has used General Dynamics and Lockheed Martin for the same purpose.
Lazarus usually attacks banks, cryptocurrency exchanges, NFT markets, and sometimes people known for holding large amounts of cryptocurrency.
These are the best firewalls
(opens in new tab) today
Via: Bleeping Computer (opens in new tab )
