The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems.
According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of remote work, part-time flexibility, and good pay.
“Once the target expresses interest, the ‘hiring process’ unfolds, with the scammer requesting a CV or even a personal GitHub repository link,” the Romanian firm said in a report shared with The Hacker News.
“Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction.”
Once the requested details are obtained, the attack moves to the next stage where the threat actor, under the guise of a recruiter, shares a link to a GitHub or Bitbucket repository containing a minimum viable product (MVP) version of a supposed decentralized exchange (DEX) project and instructs the victim to check it out and provide their feedback.
Present within the code is an obfuscated script that’s configured to retrieve a next-stage payload from api.npoint[.]io, a cross-platform JavaScript information stealer that’s capable of harvesting data from various cryptocurrency wallet extensions that may be installed on the victim’s browser.
The stealer also doubles up as a loader to retrieve a Python-based backdoor responsible for monitoring clipboard content changes, maintaining persistent remote access, and dropping additional malware.
At this stage, it’s worth noting that the tactics documented by Bitdefender exhibit overlaps with a known attack activity cluster dubbed Contagious Interview (aka DeceptiveDevelopment and DEV#POPPER), which is designed to drop a JavaScript stealer called BeaverTail and Python implant referred to as InvisibleFerret.
The malware deployed by means of the Python malware is a .NET binary that can download and start a TOR proxy server to communicate with a command-and-control (C2) server, exfiltrate basic system information, and deliver another payload that, in turn, can siphon sensitive data, log keystrokes, and launch a cryptocurrency miner.
“The threat actors’ infection chain is complex, containing malicious software written in multiple programming languages and using a variety of technologies, such as multi-layered Python scripts that recursively decode and execute themselves, a JavaScript stealer that first harvests browser data before pivoting to further payloads, and .NET-based stagers capable of disabling security tools, configuring a Tor proxy, and launching crypto miners,” Bitdefender said.
There is evidence to suggest these efforts are quite widespread, going by reports shared on LinkedIn and Reddit, with minor tweaks to the overall attack chain. In some cases, the candidates are asked to clone a Web3 repository and run it locally as part of an interview process, while in others they are instructed to fix intentionally introduced bugs in the code.
One of the Bitbucket repositories in question refers to a project named “miketoken_v2.” It is no longer accessible on the code hosting platform.
The disclosure comes a day after SentinelOne revealed that the Contagious Interview campaign is being used to deliver another malware codenamed FlexibleFerret.
