Full Report
Bitdefender Labs warns of an active campaign by the North Korea-linked Lazarus Group, targeting organizations by capturing credentials and delivering malware through fake LinkedIn job offers. LinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for cybercriminals exploiting its credibility. From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in profess
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Attribution:** North Korea-linked group.
* **Known Aliases and Associated Groups:** Lazarus Group.
## Activity Summary
The campaign described involves using fake LinkedIn job offers to target potential victims, promising collaboration on decentralized cryptocurrency exchanges, travel projects, or financial domains. The operation follows a multi-stage infection chain initiated by victims running malicious code disguised as a "minimum viable product" (MVP) demonstration for a job application. The ultimate goal appears to be credential theft (especially cryptocurrency-related) and data exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access:** Social engineering via fake LinkedIn job offers (Phishing/Spearphishing via social media).
* **Execution:** Delivering obfuscated scripts that dynamically load malicious code from third-party endpoints.
* **Persistence & Defense Evasion:**
* Using multi-layered Python scripts that recursively decode and execute themselves.
* Adding malicious binaries to the exception list of Microsoft Defender.
* Utilizing a Tor Proxy Server for C2 communication.
* Downloading and installing .NET 6.0 if missing.
* **Collection:**
* Cross-platform info-stealing payload targeting cryptocurrency wallet extensions (Windows, macOS, Linux).
* Collection of browser login data.
* Keyboard hooking specifically targeting web browsers.
* System-wide monitoring of clipboard changes for crypto-related data.
* Exfiltration of valuable files (documents, environment variables, private keys, crypto mnemonics).
* Data exfiltration focusing on browser data (logins, payment info) across Chrome, Brave, Opera, Yandex, and Microsoft Edge.
* Backdoor module collecting browser passwords, sessions, crypto wallet keys, and Discord account secrets.
* Keylogging using win32 APIs.
* System fingerprinting (Host name, OS, CPU, GPU, RAM, Public IP/Geo).
* **Command and Control:**
* Communication via a Tor C2 server.
* Using Pastebins to retrieve URLs for subsequent payloads (`.exe`).
## Targeting
* **Sectors:** While the recruitment campaign is broad, the payload strongly suggests targeting individuals or organizations involved with **Cryptocurrency/Finance** technology due to the specific wallet/extension targeting.
* **Geography:** Unspecified, but the cross-platform nature (Windows, macOS, Linux) suggests a wide reach. Victims are exfiltrated with their Public IP and Country/City information.
* **Victims:** Individuals seeking employment or collaboration opportunities, particularly those interested in cryptocurrency projects.
## Tools & Infrastructure
* **Malware Families Used:**
* Cross-platform Info-stealer (JavaScript).
* Collection scripts: `_mlip.py` (keylogger/clipboard monitor), `pay.py` (file exfiltration), `bow.py` (browser data exfiltration).
* Tsunami Injector python script.
* .NET binary stager.
* Backdoor, "Secret file" stealer, Crypto-miner, and Keylogger modules (run as threads on the final payload).
* **Infrastructure (C2, domains, IPs - defang URLs):**
* Malicious IP address (initial data exfiltration).
* Remote attacker-controlled server.
* Tor C2 server.
* Pastebins (used to fetch payload URLs).
## Implications
Lazarus Group continues to leverage sophisticated social engineering tailored to career aspirations, utilizing complex, multi-stage infection chains written across various languages (JavaScript, Python, .NET). Their primary operational focus in this campaign is high-value financial data, specifically cryptocurrency credentials, indicating a strong financial motivation, typical of Lazarus sub-groups. The use of Tor adds a layer of anonymity to their infrastructure management.
## Mitigations
* **Verify Authenticity:** Cross-check all unsolicited job offers with official corporate websites and confirm contact details using verified corporate email domains.
* **Code Execution Safety:** Never execute unverified source code, especially development "MVPs" from unknown sources, on production or enterprise devices. Use isolated environments (VMs/Sandboxes) for testing personal code.
* **Suspicious Activity Awareness:** Be wary of vague job descriptions lacking official postings, communication with frequent spelling errors, and reluctance to use alternative, verifiable contact methods (corporate phone/email).
* **Browser Security:** Ensure browser extensions related to cryptocurrency wallets are up-to-date; review browser security settings and avoid granting excessive permissions to unfamiliar software.