The notorious North Korean hacking group Lazarus has been conducting a new social engineering campaign where the hackers impersonate Coinbase to target employees in the fintech industry. Potential victims of Lazarus are often targeted through LinkedIn where the threat actors present a job offer and hold a preliminary discussion. Recently, the group has been pretending to be from Coinbase and are targeting candidates suitable for the role of Engineering Manager or Product Security. Victims are asked to download a file named “Coinbase_online_careers_2022_07.exe,” which displays a decoy PDF about the fake job position while also loading a malicious DLL. Once executed, the malware will use GitHub as a Command-and-Control (C2) server to receive commands to perform on the infected device. Lazarus has conducted similar campaigns in the past using fake jobs for General Dynamics and Lockheed Martin.
Financially motivated attacks are nothing new to state-sponsored North Korean hacking groups. Earlier this year, US intelligence services warned about Lazarus stealing private keys and confiscating the wallet holdings. In April, the US Treasury and the FBI linked stolen cryptocurrency from Axie Infinity to Lazarus. This hack, which stole $617 million worth of Ethereum and USDC tokens, was made possible thanks to a fake PDF file. Opening the file infected the victim’s computer, allowing Lazarus to raise privileges and move through the firm’s network.
It is recommended to provide user training instructing users to avoid clicking on links or opening attachments sent by others on social media, especially from unknown and anonymous users. Users should also be instructed to report the incident to the organization’s IT security department for a follow-up investigation, especially if an attachment has been opened.