Through fake job offers posted on LinkedIn, Lazarus Group hackers seek to trick victims into executing malicious code and stealing cryptocurrency.
Un report recently published by security company F-Secure, details that the hacker group known as Lazarus Group is executing an attack through the business network LinkedIn, to deceive key and unsuspecting users with a fake job offer that only seeks to steal their cryptocurrencies, . According to the report, Lazarus Group's modus operandi consists of a phishing campaign to promote a false job offer within a company blockchain via LinkedIn. Said job offer contains a document that, when downloaded and opened, executes malicious code that allows hackers to obtain the victims' login credentials and access to the network, data with which they can eventually access the systems where cryptocurrencies are stored.
The attack targets the exchanges, custody houses and other vertical cryptocurrency organizations. For example, in the latest and most recent Lazarus Group attack, hackers targeted a systems administrator at a major exchange, who received a job offer through the LinkedIn network.
According to the F-Secure report, the fake job offer exactly indicated the exact knowledge, skills and abilities that the victim had, and also contained a word document that described more information about the job offer. Likewise, the offer indicated that the document was protected by the European Union General Data Protection Regulation Law (GPDR), so it asked the victim to enable macros to be able to view the entire document, something that by doing so allowed the installation of a VBScript inside the device so that hackers could control connections to several compromised command servers supervised by Lazarus Group .
It may interest you: Miners found hidden in Amazon services
Phishing campaigns targeting administrators of important companies and organizations
Lazarus Group is one of the world's largest hacking groups linked to North Korea, and has been leading attacks on several major sectors and companies. In addition to the recent attack on cryptocurrency companies, Lazarus Group is also using phishing strategies to target key employees in the US aerospace industry and defense organizations.
McAfee y ClearSky issued reports revealing that this group of hackers is taking advantage of attack techniques similar to those used through LinkedIn against the administrator of the cryptocurrency exchange, to compromise users and their devices and access confidential information.
“The Techniques, Tactics and Procedures (TTP) of the 2020 activity are very similar to previous campaigns that operate under the same modus operandi that we observed in 2017 and 2019.”
The phishing campaign carried out by this Lazarus Group began in 2018 with several incidents in the countries of China, the United States, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, the Netherlands, Estonia, Japan and Philippines, according to the F-Secure report.
How does the Lazarus Group phishing attack work?
As mentioned at the beginning, the fake job offer tells victims that the information document is protected by the EU Data Protection Law, so the victim must enable macros to view the document. However, when macros are enabled, the document executes malicious code that collects and extracts sensitive information from the compromised device, sending it to the attackers. This information allows hackers to “download additional files, decompress data in memory, initiate C2 communication, execute arbitrary commands, and steal credentials from various sources,” and much more.
Due to the skill that this group of hackers possesses, Lazarus Group represents a continuous threat to society and organizations, which is why the security firm calls on users to be aware of the possible attacks of which they may be victims. , and companies, businesses and organizations to be aware of the need to increase security and continuous surveillance of their spaces, which represent a specific target for this dangerous group.
About Lazarus Group
It is estimated that this group of hackers was formed in 2007 in North Korea to direct attacks on government, banking, financial and military institutions, as well as industries from different sectors, such as communication companies, entertainment, shipping companies, blockchain and much more. According to a report issued by the United States Department of the Treasury, Lazarus Group uses cyber espionage techniques, data theft, monetary theft, and destructive operations through malware to direct malicious cyber operations.
This group is involved in several robberies of commercial banks and currency exchange houses, such as the theft of 81 million dollars from Bangladesh Bank in 2016. Likewise, the United States Department of the Treasury estimates that Lazarus Group stole more than $570 million between 2017 and 2018 to provide to the North Korean government.
Continue reading: Security: Several exchanges present vulnerabilities that put user funds at risk
