The notorious North Korean hacking gang Lazarus has found a new social engineering operation in which the hackers pose as Coinbase to lure workers in the fintech sector. The hacker organization frequently contacts people via LinkedIn to make a job offer and start a conversation as part of a social engineering operation.
Hossein Jazi, a security researcher at Malwarebytes who has been closely monitoring Lazarus activities since February 2022, claims that the threat actors are now impersonating Coinbase and attempting to recruit people for the position of “Engineering Manager, Product Security.” Coinbase is one of the biggest cryptocurrency exchange platforms in the world. It has helped Lazarus set himself up for a lucrative and alluring job offer at a famous company.
Victims downloading what they think is a PDF about an open position download malicious malware disguised as a PDF icon. In this instance, the file is called “Coinbase_online_careers_2022_07.exe,” which, when run, loads a malicious DLL and displays a fake PDF document. When the malware has been run, it will employ GitHub as a command-and-control server to get instructions on what to do with the infected device.
This attack chain resembles one Malwarebytes described in a blog post at the beginning of the year. Jazi said that Lazarus uses comparable strategies and techniques to infect their targets with malware and that the infrastructure used in each phishing effort is the same. Lazarus has previously used phony job offers in campaigns for General Dynamics and Lockheed Martin.
Banks, cryptocurrency exchanges, NFT markets, and individual investors with sizeable holdings have all been targeted by state-sponsored North Korean hacking organizations for financial reasons. The threat of Lazarus spreading trojanized cryptocurrency wallets and investing applications that steal users’ private keys and drain their assets was highlighted earlier in the year by U.S. intelligence services.
In April, the U.S. Treasury and FBI established a connection between Lazarus and cryptocurrency theft from the blockchain-based game Axie Infinity, accusing them of stealing over $617 million worth of Ethereum and USDC tokens. The Axie Infinity attack, revealed in July, was made possible by a malicious PDF file that purportedly contained information about a lucrative job offer given to one of the blockchain’s programmers.
The engineer’s PC became infected after opening the file, which allowed Lazarus to gain more authority and roam across the company’s network before discovering a weakness in the Ronin Bridge and starting an exploit. Lazarus is probably aiming for a similar attack with the most recent Coinbase-lured campaign; it would take just one employee to download the PDF to give the hackers access to the corporate network.