The notorious North Korean advanced persistent threat (APT) group Lazarus is conducting a new social engineering campaign that impersonates the Coinbase company to target employees in fintech firms through fake job offers.
The initial sequence of the attack is through approaching the targets in the LinkedIn platform. Subsequently, the attackers will offer a job and then hold a preliminary discussion to convince their targets that the job offer is legitimate.
Biting into the fake job offers would compromise the victims’ sensitive data.
Since the start of the year, the Lazarus group are believed to be searching for candidates for Engineering manager and Product Security roles. Once a target is deceived and downloads a PDF to get information about the job position, they will be infected by a malicious executable coded as Coinbase_online_careers_2022_07[.]exe. This executable will then use a PDF icon to obfuscate itself in the network.
In addition, the display file will be a decoy PDF document when operated while loading a compromised DLL. Once the DLL is run, the malware utilises GitHub as a command-and-control server to gather commands on targeted devices.
This cybercriminal activity has been making noise since the year started. Several researchers have been noticing many similar actions throughout the underground landscape.
Moreover, the Lazarus group has launched financially motivated attacks against cryptocurrency exchanges in the previous months. Different forms of online currency have been targeted by this North Korean threat group, which caused numerous users to lose substantial amounts of funds.
Last April, the FBI attributed the attack on the game Axie Infinity to the Lazarus group. The attack on this “play to earn” online game has caused millions of dollars in damages, leaving gamers scrambling for money.
Also, this year, the United States intelligence services released an advisory regarding the Lazarus group’s distribution of trojanised investment and cryptocurrency wallet applications to steal users’ private keys and their funds.
This North Korean threat group is a prime example of financially motivated actors that constantly updates its tactics to achieve their plans. Organisations should now consider employing threat intelligence services to remain updated with emerging threats and trends. Adopting such a service can also help mitigate the damages from malicious attacks.
