Infamous North Korean threat actor Lazarus Group has been spotted targeting software developers and artists in the blockchain space with fake job offers.
Researchers from cybersecurity firm Sentinel One found the group’s “Operation In(ter)ception”, kicked off in 2020, is still active, and still looking for gullible software developers and artists.
The premise is the same: the group will create fake accounts (opens in new tab) on LinkedIn, Twitter, and other social media usually used by developers and artists, and will start reaching out to them, offering almost-too-good-to-be-true job positions. The victims that grab the bait will usually go through a couple of fake interviews, just to add to the credibility of the process. Finally, after a few rounds, the victim will be sent a file that is supposed to hold more details about the potential position. In reality, though, the file is a malware (opens in new tab) dropper.
In this particular case, Lazarus is impersonating Crypto.com, one of the world’s largest and most popular cryptocurrency exchanges.
The file being shared is titled “’Crypto.com_Job_Opportunities_2022_confidential.pdf”. It is a macOS binary that, when run, creates a folder “WifiPreference” in the user’s Library directory, where it would later drop stage two and stage three files. Stage two deploys “WifiAnalyticsServ.app”, which loads a persistence agent “wifianalyticsagent”, finally moving to stage three’s “WiFiCloudWidget”, pulled from “market.contradecapital[.]com” C2.
Sentinel One wasn’t able to obtain a copy of the malware for analysis, given that the server was offline at the time of the investigation.
What it did discover, is that the attackers don’t expect the campaign to last very long.
“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets,” Sentinel One said.
Via: BleepingComputer (opens in new tab)