The infamous North Korean threat actor, Lazarus Group, has been seen trying to lure blockchain developers with fake, malware-laden job advertisements.
Cybersecurity researchers at Malwarebytes have uncovered a new campaign in which Lazarus assumes the identity (opens in a new tab) of Coinbase, one of the world's largest and most popular cryptocurrency exchanges.
The criminals then contact the blockchain developers with a job offer for the position of “Engineering Manager, Product Security” and even conduct some interviews to make the whole campaign more credible. However, at some point, the attackers will share a file, apparently a PDF, with details of the supposed workstation. However, the only thing this file has with a PDF is the icon, since it is actually an executable: Coinbase_online_careers_2022_07.exe. In addition to the .exe, the threat actor will also deploy a malicious DLL.
Abundance of bogus job offers
These files will then be linked to GitHub, which serves as a command and control (C2) server, which shares additional instructions on how best to infect the terminal.
The “fake job offer” attack is not new. In fact, the largest crypto heist of all time, a massive $600 million attack on the Ronin Bridge, happened the same way. One of the Ronin developers was approached, via LinkedIn, by someone posing as a headhunter looking for quality developers.
One thing led to another, the victim ended up downloading a weaponized PDF file that ultimately gave the attackers the keys to the Ronin kingdom.
The FBI also singled out the Lazarus group for this attack. Whether that turns out to be true or not, this threat actor is no stranger to fake job offers. The group has previously used General Dynamics and Lockheed Martin for the same purpose.
Lazarus usually attacks banks, cryptocurrency exchanges, NFT markets, and sometimes people who are known to have a heavy bag of cryptocurrencies.
Via: Bleeping Computer(Opens in a new tab)