North Korea-based hacking group, Lazarus, has started a social engineering campaign targeting potential financial industry employees using Coinbase as bait. The hackers are posting ads for Coinbase job offers on sites like LinkedIn to lure job-seeking candidates by presenting fake job offers.
According to Malwarebyte, which has been regularly monitoring Lazarus since February 2022, the hacking organization has now adopted social engineering hacking, in which it contacts potential candidates for positions like “Engineering Manager, Product Security” while posing as a representative of Coinbase.
Lazarus uses Coinbase Job Offers to target employees on LinkedIn
Known by different monikers, such as Guardians of Peace or Whois Team, the North Korea-based Lazarus group initiated many attacks between 2010 and 2021. However, the latest social engineering attack primarily targets job seekers on websites like LinkedIn using Coinbase job offers as bait. The hackers run the campaign via LinkedIn and reach out to candidates looking for jobs in the fintech industry.
The decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.
— Jazi (@h2jazi) August 4, 2022
After making the candidate comfortable with wheedling, the hackers send a fake PDF file to them, which is an actual malicious executable attached to the PDF icon. In a Tweet shared by the Malwarebyte threat Intel researcher, Jazi, we can see that the files name described by the hacker is “Engineering Manager, Product Security.” However, upon close inspection, the actual name of the executable file is “Coinbase_online_careers_2022_07.exe”.
In a similar Tweet shared by Jazi on January 27th, 2022, Lazarus seems to be using the same method but using General Dynamics Electric Boat as bait for targets. In both cases, the executable file will open and use GitHub as the command-and-control server to target the individual device.
The decoy document is Sr Engineer Manager job posting at General Dynamics Electric Boat!
(low detection rate: 3/68) pic.twitter.com/oXZlgv32tg
— Jazi (@h2jazi) March 21, 2022
The Crypto market is currently flourishing, and many companies like Coinbase are popular among people. The hackers are simply cashing on the trend, and the social engineering attacks seem to work because many people are searching for jobs now. Hacking organizations like Lazarus are winning the bid by providing a chance for employment in companies like Coinbase.