North Korean hackers used fake Coinbase job listings to attack cryptocurrency experts.
The infamous North Korean hacker organization Lazarus has launched a new social engineering initiative in which hackers impersonate Coinbase to lure fintech workers.
Hacker organizations often connect with people through LinkedIn, offering jobs and initiating conversations as part of their social engineering work. Hossein Jazzy, a security researcher at Malwarebytes who has been following Lazarus closely since February 2022, claims that the attackers are now impersonating Coinbase and trying to hire people for the position of "Product Security Engineering Manager".
Coinbase is one of the largest cryptocurrency exchange platforms in the world that helps Lazarus to prepare profitable and attractive job offers in well-known companies.
Victims downloading what they think is a PDF about an open position download malicious malware disguised as a PDF icon. In this instance, the file is called “Coinbase online careers 2022 07.exe,” which, when run, loads a malicious DLL and displays the fake PDF document shown below.
When the virus has been run, it will use GitHub as a command and control server to get instructions on what to do with the infected device.
This attack chain resembles one Malwarebytes described in a blog post at the beginning of the year.
According to Jazi, who spoke to Bleeping Computer, Lazarus uses comparable strategies and techniques to infect their targets with malware, and the various phishing campaigns share infrastructure.
Lazarus has previously used phoney job offers for General Dynamics and Lockheed Martin campaigns.
Lazarus hackers go after cryptocurrency. Banks, cryptocurrency exchanges, NFT markets, and individual investors with sizeable holdings have all been targeted by state-sponsored North Korean hacking groups for financial reasons.
U.S. intelligence services highlighted the threat of Lazarus spreading trojanized cryptocurrency wallets and investment apps that steal users’ private keys and syphon their holdings earlier in the year.
In April, the U.S. Treasury and FBI established a connection between Lazarus and cryptocurrency theft from the blockchain-based game Axie Infinity, accusing them of stealing over $617 million worth of Ethereum and USDC tokens.
The Axie Infinity attack, made public in July, was made possible by a malicious PDF file that purportedly contained information about a lucrative job offer sent to one of the blockchain’s engineers.
The engineer’s PC became infected after opening the file, which allowed Lazarus to gain more authority and move across the company’s network before discovering a weakness in the Ronin Bridge and starting an exploit.
Lazarus is likely aiming for a similar attack with the most recent Coinbase-lured campaign; all it would take is just one employee to open the PDF to give the hackers access to the corporate network.
You must be logged in to post a comment.