A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry.
A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.
According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.”
Coinbase is one of the world’s largest cryptocurrency exchange platforms, allowing Lazarus to lay the ground for a lucrative and enticing job offer at a prestigious organization.
When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named “Coinbase_online_careers_2022_07.exe,” which will display the decoy PDF document shown below when executed while also loading a malicious DLL.
Decoy PDF displayed when running fake PDF executable(@h2jazi)
Once executed, the malware will use GitHub as a command and control server to receive commands to perform on the infected device.
This attack chain is similar to one documented by Malwarebytes in a blog post at the start of the year.
Jazi told Bleeping Computer that Lazarus follows similar tactics and methods to infect their targets with malware, and the individual phishing campaigns feature infrastructure overlaps.
Other campaigns conducted by Lazarus in the past using fake job offers were for General Dynamics and Lockheed Martin.
Lazarus hackers targeting crypto
State-sponsored North Korean hacking groups are known for launching financially motivated attacks against banks, cryptocurrency exchanges, NFT marketplaces, and individual investors with significant holdings.
Earlier in the year, U.S. intelligence services warned about Lazarus spreading trojanized cryptocurrency wallets and investment apps that steal people’s private keys and siphon their holdings.
In April, the U.S. Treasury and the FBI linked stolen cryptocurrency from the blockchain-based game Axie Infinity to Lazarus, holding them responsible for stealing over $617 million worth of Ethereum and USDC tokens.
As revealed later, in July, the Axie Infinity hack was made possible thanks to a laced PDF file that supposedly contained the details of a lucrative job offer sent to one of the blockchain’s engineers.
Opening the file infected the engineer’s computer, enabling Lazarus to raise their privileges and move laterally in the firm’s network, eventually locating a vulnerability in the Ronin Bridge and triggering an exploit.
This same type of attack is likely what Lazarus is hoping to achieve in the latest Coinbase-lured campaign, as it would only take a single person in a company to open the PDF and enable the hackers to gain initial access to the corporate network.