The Lazarus Group, a North Korea-linked cybercrime group, is running a campaign using fake LinkedIn job offers in the cryptocurrency and travel sectors. The malware targets Windows, macOS, and Linux systems. Bitdefender’s cybersecurity experts discovered the attack, which uses multiple stages to steal sensitive data and gain remote access to infected machines.
Fake Job Offers Lure Victims into Malware Trap
The attack starts with a carefully crafted message on LinkedIn. The scammer offers attractive remote work with flexible hours and good pay. This bait entices victims to engage. Once the target shows interest, the attacker requests personal details, such as resumes or GitHub links, to gain valuable information.
While these requests may seem harmless, they are part of a larger scheme. Bitdefender reports that attackers, posing as recruiters, then send a link to a fake decentralized exchange (DEX) project on GitHub or Bitbucket. Victims are asked to review it and provide feedback, unknowingly triggering the next phase of the attack.
Cross-Platform JavaScript Stealer Delivers Payload
Within the fake project’s code is an obfuscated JavaScript script. This script loads a cross-platform information stealer capable of harvesting data from cryptocurrency wallet extensions in the victim’s browser. It also retrieves a Python-based backdoor that monitors clipboard activity and ensures persistent remote access.
This attack shares similarities with the Contagious Interview campaign. Known as DeceptiveDevelopment and DEV#POPPER, it deploys the BeaverTail JavaScript stealer and the InvisibleFerret Python implant.
Multi-Layered Infection Chain
Lazarus Group’s attack chain is complex, using multiple programming languages. After the initial infection, the Python implant delivers a .NET binary. This binary starts a Tor proxy to communicate with the attacker’s command-and-control (C2) server. It exfiltrates system information and sets up additional malware.
One payload is a cryptocurrency miner that runs in the background, consuming system resources. Other payloads include keyloggers and data siphoners that steal sensitive information such as passwords and cryptocurrency credentials.
Bitdefender reveals recursive Python scripts that decode and execute themselves. The .NET components disable security tools and configure the Tor proxy, ensuring the malware’s persistence.
Widespread Impact and Variations in the Attack
This campaign has spread widely, with different versions reported on LinkedIn and Reddit. In some cases, attackers ask victims to clone a Web3 repository or fix bugs in the code.
One Bitbucket repository, miketoken_v2, was part of the attack. It is now inaccessible. This shows that the attackers are constantly adapting their methods to stay ahead of security measures.
New Malware Variants Unveiled
SentinelOne recently discovered another malware variant named FlexibleFerret, which is linked to the Contagious Interview campaign. This highlights the Lazarus Group’s evolving tactics. They continue to use social engineering, cross-platform malware, and advanced evasion techniques to steal data.
