North Korean hacker group Lazarus spreads malware through fake job listings on LinkedIn

A North Korea-linked hacking group, Lazarus, has been found distributing malware through fake job postings on LinkedIn, targeting users with malicious scripts designed to steal sensitive data and cryptocurrency wallets.

On February 5, cybersecurity firm Bitdefender reported on its official blog that Lazarus has been using LinkedIn as a tool to lure victims into downloading malware, carrying out cyberattacks under the guise of job recruitment.

According to Bitdefender, Lazarus approached targets by falsely offering job opportunities at decentralized cryptocurrency exchanges. If the target expressed interest, they were asked to submit their resume or provide a link to their personal GitHub repository.

Once the attackers gathered the victim’s information, they shared a document containing interview questions, requiring the execution of a demo project stored in a shared repository. However, this repository contained an obfuscated script that dynamically loaded malicious code.

The malware was specifically designed to target widely used cryptocurrency wallet browser extensions. Upon execution, it collected critical files associated with these extensions while simultaneously extracting login credentials stored in the user’s browser.

Additionally, it downloaded a Python script named ‘main99_65.py’, which served as a foundation for further cyberattacks.

Further steps in the attack involved adding the malicious binary to Microsoft Defender’s exception list, preventing detection, and downloading a Tor Proxy Server to facilitate communication with command and control (C2) servers.

The malware also installed a backdoor, which enabled extensive data collection, and a cryptocurrency miner, which exploited the victim’s system resources. Additionally, it deployed a keylogger, utilizing Win32 API to capture keystrokes and steal credentials.

Bitdefender warned that Lazarus is not only stealing personal data but is also conducting cyberattacks targeting the aerospace, defense, and nuclear industries to obtain classified information and proprietary technologies.

“The group has been found not only distributing malware through fake job listings but also attempting to infiltrate various companies using forged identities,” Bitdefender stated.

The cybersecurity firm cautioned that social platforms are increasingly becoming breeding grounds for malicious activities and advised users to be wary of job postings with vague descriptions, avoid opening suspicious repositories, and refrain from executing unverified code.

BY YOUNGNAM KIM [kim.youngnam@koreadaily.com]