New Lazarus Group Scam Targets Crypto Wallets via Fake Jobs
Cybersecurity Alert: New Scam Targets Job Seekers with Deceptive Remote Work Offers
A recent warning from cybersecurity experts at Bitdefender highlights a sophisticated scam targeting job seekers on professional social media networks. This alarming trend involves enticing messages that promise flexible remote work opportunities and attractive pay. Unfortunately, these offers can serve as a front for more sinister activities, such as data harvesting and fraud.
How the Scam Works
The scam begins when potential victims receive a seemingly innocent message from someone posing as a recruiter. Once the victim shares personal details, the scam escalates. The attacker then directs them to a GitHub or Bitbucket repository containing a "minimum viable product" (MVP) of a fictitious decentralized exchange (DEX) project. Victims are asked to review the project and provide feedback.
- Malicious Code: Hidden within the repository’s code is an obfuscated script that connects to api.npoint[.]io. This script is a cross-platform JavaScript information stealer designed to extract data from various cryptocurrency wallet extensions installed in the victim’s browser.
The Threat Landscape
The JavaScript stealer doesn’t just stop at data extraction. It also serves as a loader for a Python-based backdoor that has multiple malicious capabilities:
- Clipboard Monitoring: It tracks changes in the clipboard, potentially capturing sensitive information.
- Persistent Access: The backdoor ensures that attackers maintain remote access to the victim’s system.
- Additional Malware: It can drop further malicious software onto the victim’s device.
Bitdefender notes that this scam shares tactics with a known attack cluster called Contagious Interview (also known as DeceptiveDevelopment or DEV#POPPER). This technique utilizes the BeaverTail JavaScript stealer and a Python implant called InvisibleFerret.
Understanding the Malware
The deployed malware is a .NET binary capable of:
- Downloading a TOR Proxy: This allows attackers to communicate with a command-and-control (C2) server.
- Exfiltrating Information: It can siphon sensitive data and log keystrokes.
- Launching Cryptocurrency Miners: Victims’ devices can be hijacked to mine cryptocurrency without their knowledge.
According to Bitdefender, the infection chain is intricate, blending multiple programming languages and technologies. This includes multi-layered Python scripts that recursively decode and execute themselves, alongside the JavaScript and .NET components.
Recent Developments
One notable repository involved in this scam was linked to a project named "miketoken_v2," which has since been taken down. This warning comes on the heels of another report by SentinelOne, indicating that the Contagious Interview campaign is also being leveraged to distribute malware known as FlexibleFerret.
Stay Informed and Protected
As cyber threats continue to evolve, it is crucial for job seekers to remain vigilant about the requests they receive online. Always verify the legitimacy of job offers and be cautious when sharing personal information.
For more insights on cybersecurity and to stay updated on related topics, follow us on Twitter and LinkedIn. What do you think about these emerging scams? Share your thoughts in the comments below!