Full Report
Bitdefender Labs warns of an active campaign by the North Korea-linked Lazarus Group, targeting organizations by capturing credentials and delivering malware through fake LinkedIn job offers. LinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for cybercriminals exploiting its credibility. From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in profess
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korea. Associated with the Lazarus Group (also known as Hidden Cobra, APT38, Guardians of Peace, etc., though the article only explicitly names Lazarus Group).
## Activity Summary
The actor is engaged in an active campaign utilizing fake LinkedIn job offers to target organizations. The campaign seeks to capture credentials and deliver multi-stage malware. The specific operation detailed involved offering collaboration on a decentralized cryptocurrency exchange project, pretending to be a recruitment process, and subsequently tricking the target into executing a provided "minimum viable product" (MVP) repository code.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing via LinkedIn messages offering remote job opportunities (T1566.001 - Phishing: Spearphishing Link or T1566.002 - Phishing: Spearphishing Attachment if code/documents are attached).
- **Execution & Persistence:** Delivering obfuscated cross-platform scripts (JavaScript, Python) via seemingly legitimate project code/demos. Scripts recursively decode payloads.
- **Credential Dumping & Stealing:** Harvesting credentials from browsers and information related to cryptocurrency wallet extensions.
- **Data Exfiltration:** Exfiltrating stolen data, system information, and files (documents, environment variables, private keys, crypto mnemonics) to remote C2 servers.
- **Defense Evasion:** Adding malicious binaries to the exception list of Microsoft Defender.
- **Network Evasion/Anonymization:** Downloading and starting a Tor Proxy Server for communication with the C2 server.
- **Lateral Movement/Staging:** Downloading and executing further payloads, including a .NET binary, via Tor C2.
- **Specific Payload Actions:** Keylogging, clipboard monitoring (specifically for crypto data), keyboard hooking targeting web browsers.
## Targeting
- Sectors: General targeting appears focused on individuals whose execution of code could lead to credential or cryptocurrency theft, including those in finance/crypto, travel, or general corporate roles open to remote work.
- Geography: Global (implied by the nature of LinkedIn recruitment campaigns and cross-platform malware deployment: Windows, MacOS, Linux observed).
- Victims: Unsuspecting job seekers and professionals using LinkedIn.
## Tools & Infrastructure
- **Malware Families Used:**
- Cross-platform info-stealer (JavaScript based).
- Python modules for keylogging (**_mlip.py_**), system reporting/file exfiltration (**_pay.py_**), and browser data extraction (**_bow.py_**).
- **Tsunami Injector** python script used by **_bow.py_** to fetch payloads (.exe).
- .NET binary payload for persistence and C2 communication.
- Backdoor module (for data collection).
- "Secret file" stealer module.
- Crypto-miner module.
- Keylogger module (using Win32 APIs).
- **Infrastructure:**
- Malicious IP address for initial exfiltration endpoint.
- Attacker-controlled C2 server.
- Tor C2 server for secondary payloads and command delivery.
- Use of Pastebins to host payload URLs.
## Implications
Lazarus Group is utilizing trusted professional networking platforms (LinkedIn) to conduct highly sophisticated, multi-stage supply chain/human-centric attacks. The complexity of the multi-language chain (JS, Python, .NET) and the focus on cryptocurrency infrastructure indicates a high-severity, financially or state-driven objective. The deployment of Tor suggests an attempt at operational security to hide the final C2 infrastructure.
## Mitigations
- Avoid running unverified code, especially code delivered via social engineering platforms, using sandboxes, VMs, or online testing platforms.
- Verify job offers through official corporate channels and cross-check email domains.
- Scrutinize unsolicited messages, especially those with vague job descriptions or requiring immediate execution of code/demos.
- Deploy robust endpoint detection and response (EDR) solutions capable of detecting script execution, recursive decoding, and indicators of compromise associated with file exfiltration and Tor usage.
- Implement network monitoring to detect communication established over the Tor network originating from endpoints.