The North Korea -related Lazaro Group has been linked to an active campaign that uses fake Linkedin jobs in cryptocurrencies and travel departments to provide malware that can infect windows, Maco, and Linux operating systems.
According to the Cyber Security Company BitDefender, fraud starts with a message sent to a professional social media network, inviting remote work, part -time flexibility, and good wages.
“If the target expressed interest, the scammers will expand the” employment process “by the scammers demanding a resume or personal GitHub repository link,” said Romanian companies in a report shared with Hacker News. Ta.
“At first glance, it looks innocent, but these requests are useful for unwilling purposes, such as harvesting personal data and lending a legitimate veneer of interaction.”
When the demanded details are obtained, the attack is a recruiter and the threat actor shares a link to the GitHub or Bitbucket repository, which contains a minimum executable product (MVP) version of the expected distributed type. Go to the stage (DEX) project and the victims to check it and provide feedback.
What exists in the code is a difficult -to -read script that is configured to acquire the next stage from API.NPOINT.[.]IO is a cross -platform JavaScript informationsteller that can harvest data from various cryptocurrency wallet extensions that can be installed in the victim’s browser.
Stiller is also a loader to obtain a Python -based backdoor in charge of monitoring the clipboard content change, maintaining permanent remote access, and deleting additional malware.
At this stage, it is noteworthy that the tactics documented by BitDefender overlap with the known attack activity cluster (also known as DecteptedEVELOPMENT and DEV # Popper). 。
Malware deployed by Python Malware is a .NET binari that can communicate with the command and control (C2) server, remove the basic system information, download the TOR Proxial bar that provides another payload. You can launch data, log key strokes, and cryptocurrency minor for SIPHON.
“The threat actor infection chain is complicated, contains malicious software described in multiple programming languages, and uses various technologies, such as multi -layered Python scripts that are recursive and executed. According to JavaScript Stiller, which harvests the browser data first, the payloading and security tools can be launched, and the configuration of TOR Proxy and the encryption mining workers can be launched. Base stages are possible.
There is evidence suggesting that these efforts are very extensive, and the report shared by Linkedin and Reddit has received a slight fine adjustment throughout the attack chain. In some cases, the candidate is asked to clon the web3 repository as part of the interview process and execute it locally, but in other cases, correct the bug intentionally introduced in the code. It will be instructed.
One of the Bitbucket repositories in question refers to a project named “miketoken_v2”. It cannot be accessed on the code hosting platform.
This disclosure is performed on the day after the disclosure is used to provide a transmission interview campaign to provide another malware code name FlexibleEferret.
Source link
