North Korean hackers target crypto experts with fake Coinbase job offers
North Korean hackers use phoney Coinbase job offers to target cryptocurrency professionals.
The renowned North Korean hacking outfit Lazarus has uncovered a new social engineering scheme in which the hackers pose as Coinbase to lure workers into the fintech sector.
The hacker organisation frequently contacts people via LinkedIn to make a job offer and start a conversation as part of a social engineering operation.
Hossein Jazi, a security researcher at Malwarebytes who has been closely monitoring Lazarus activity since February 2022, claims that the threat actors are currently impersonating Coinbase and attempting to recruit people for the position of “Engineering Manager, Product Security.”
One of the biggest cryptocurrency exchange platforms in the world is Coinbase, which has helped Lazarus set himself up for a lucrative and alluring job offer at a famous company.
Victims downloading what they think is a PDF about an open position download malicious malware disguised as a PDF icon. In this instance, the file is called “Coinbase online careers 2022 07.exe,” which, when run, loads a malicious DLL and displays the fake PDF document shown below.
When the virus has been run, it will use GitHub as a command and control server to get instructions on what to do with the infected device.
This attack chain resembles one Malwarebytes described in a blog post at the beginning of the year.
According to Jazi, who spoke to Bleeping Computer, Lazarus uses comparable strategies and techniques to infect their targets with malware, and the various phishing campaigns share infrastructure.
Lazarus has previously used phoney job offers for General Dynamics and Lockheed Martin campaigns.
Lazarus hackers go after cryptocurrency. Banks, cryptocurrency exchanges, NFT markets, and individual investors with sizeable holdings have all been targeted by state-sponsored North Korean hacking groups for financial reasons.
U.S. intelligence services highlighted the threat of Lazarus spreading trojanized cryptocurrency wallets and investment apps that steal users’ private keys and syphon their holdings earlier in the year.
In April, the U.S. Treasury and FBI established a connection between Lazarus and cryptocurrency theft from the blockchain-based game Axie Infinity, accusing them of stealing over $617 million worth of Ethereum and USDC tokens.
The Axie Infinity attack, made public in July, was made possible by a malicious PDF file that purportedly contained information about a lucrative job offer sent to one of the blockchain’s engineers.
The engineer’s PC became infected after opening the file, which allowed Lazarus to gain more authority and move across the company’s network before discovering a weakness in the Ronin Bridge and starting an exploit.
Lazarus is likely aiming for a similar attack with the most recent Coinbase-lured campaign; all it would take is just one employee to open the PDF to give the hackers access to the corporate network.