Lazarus, the renowned and notorious North Korean hacking group, has been found impersonating Coinbase to lure employees in the financial sector as their victims.
For those unaware, Coinbase is one of the world’s largest cryptocurrency exchange platforms for buying, selling, transferring, and storing digital currency.
The hacking group Lazurus, believed to be backed by the North Korean government, is well-known for conducting financially motivated attacks against banks, cryptocurrency exchanges, NFT marketplaces, and individual investors with significant holdings.
For this particular campaign, the modus operandi of the hacking group is to approach victims through hiring platforms such as LinkedIn and Indeed and entice them with a job offer and hold a preliminary discussion as part of a social engineering attack.
Due to Coinbase’s popularity, Lazarus was able to lure victims with a lucrative and enticing job offer at the prestigious organization.
Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, shared a screenshot of the sample email that was sent by the threat actors to target candidates. The fake job description reads “Engineering Manager, Product Security” at Coinbase.
The decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.
— Jazi (@h2jazi) August 4, 2022
The email states that Coinbase looks at a few things they look at before hiring at the company, regardless of role or team.
“First, we look for candidates who will thrive in a culture like ours, where we default to trust, embrace feedback, and disrupt ourselves. Second, we expect all employees to commit our mission-focussed approach to our work. Finally, we seek people who are excited to learn about and live crypto, because those are the folks who enjoy the intense moments in our sprint and recharge work culture,” it read.
In addition, it also said, “We’re a remote-first company looking to hire the absolute best talent all over the world.”
According to BleepingComputer, the victims are targeted to download what they believe is a PDF about the job position titled “Coinbase_online_careers_2022_07.exe.” However, they actually end up downloading a malicious PDF executable file unknowingly, which is masked to load a malicious DLL.
Once executed, the malware will use GitHub as a command and control server to receive commands about what to do on the infected device.
This attack chain is similar to the one documented by Malwarebytes in a blog post in January 2022.
Jazi told BleepingComputer that “Lazarus follows similar tactics and methods to infect their targets with malware, and the individual phishing campaigns feature infrastructure overlaps.”