Pierluigi Paganini
February 06, 2025
Bitdefender researchers reported that the North Korea-linked Lazarus group uses fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver a cross-platform JavaScript stealer to target crypto wallets in a new hacking campaign.
Scammers lure victims with fake job offers for crypto, travel, or finance projects, promising remote work, flexibility, and good pay while keeping details vague.
The threat actors request a CV or GitHub link to harvest personal data and make the scheme appear legitimate, further deceiving victims in the fake hiring process. Then the attackers share a fake project with hidden malicious code, requiring victims to run a demo that loads harmful scripts from a third-party source.
The attacker shares a repository with an MVP and a document requiring execution. The code appears harmless but hides an obfuscated script that loads malware.
“After receiving the requested information, the criminal shares a repository containing the “minimum viable product” (MVP) of the project. He also includes a document with questions that can only be answered by executing the demo.” reads the report published by Bitdefender. “At first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that dynamically loads malicious code from a third-party endpoint.”
The final payload is a cross-platform stealer that can target Windows, MacOS and Linux operating systems. The malicious code allows attackers to target popular cryptocurrency wallets by searching for crypto-related browsing extensions.
The malware also steals browser data and login credentials, then deploys Python and .NET-based payloads for keylogging, monitoring clipboard content changes, system reconnaissance, crypto mining, and persistent C2 communication via Tor and attacker-controlled IPs
The malicious code can also deliver additional malware.
The campaign was attributed to the Lazarus APT group based on an analysis of malware and operational tactics. The North Korea-linked group was previously linked to a campaign using malicious job offers and fake job applications.
“Their objectives go beyond personal data theft. By compromising people working in sectors such as aviation, defense, and nuclear industries, they aim to exfiltrate classified information, proprietary technologies, and corporate credentials. In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage.” concludes the report.
“While in this article, we’ve discussed malicious job offers, it has been observed that the same threat actors have tried to infiltrate various companies by faking identities and applying for a multitude of job positions. The result would be approximately the same: private information, credentials, and technology would be exfiltrated by corporate spies.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
