Suspected North Korea state hackers are targeting cryptocurrency workers with a new phishing campaign.
Malwarebytes threat intelligence researcher, Hossein Jazi, posted details of the campaign to Twitter. It appears to leverage a PDF containing details of the non-existent role of “engineering manager, product security” at crypto giant Coinbase.
In fact, the file is hiding a malicious executable which will infect the victim’s machine.
This isn’t the first time that actors from the notorious Lazarus Group have used such tactics.
Back in January, Jazi and colleague Ankur Saini, revealed a spear-phishing attack perpetrated by the group, which targeted job seekers with documents embedded with malicious macros.
“We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin,” they said.
The duo also pointed to “a clever use of Windows Update to execute the malicious payload and GitHub as a command-and-control server.”
Hossein claimed that this campaign and the newer one featuring Coinbase used the same or similar attack infrastructure.
He also flagged a third incident from March in which Lazarus Group actors targeted recipients with a document advertising the role of senior engineering manager at shipbuilder General Dynamics Electric Boat.
The campaigns also have similarities to Operation In(ter)caption, which was first revealed by ESET in June 2020.
In that campaign, actors used LinkedIn phishing messages containing convincing job offers for targets working in relevant sectors. Malicious files were sent either via email or LinkedIn in a OneDrive link.
“Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed,” ESET explained. “Meanwhile, malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system.”