Fake Crypto.com job offers targeting developers and artists to spread malware

Lazarus Group returns with more malware scams

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Infamous North Korean threat actor Lazarus Group has been spotted targeting software developers and artists in the blockchain space with fake job offers.

Researchers from cybersecurity firm Sentinel One found the group’s “Operation In(ter)ception”, kicked off in 2020, is still active, and still looking for gullible software developers and artists.

The premise is the same: the group will createfake accountson LinkedIn, Twitter, and other social media usually used by developers and artists, and will start reaching out to them, offering almost-too-good-to-be-true job positions. The victims that grab the bait will usually go through a couple of fake interviews, just to add to the credibility of the process. Finally, after a few rounds, the victim will be sent a file that is supposed to hold more details about the potential position. In reality, though, the file is amalwaredropper.

Fake Crypto.com jobs

In this particular case, Lazarus is impersonating Crypto.com, one of the world’s largest and most popular cryptocurrency exchanges.

The file being shared is titled “‘Crypto.com_Job_Opportunities_2022_confidential.pdf”. It is a macOS binary that, when run, creates a folder “WifiPreference” in the user’s Library directory, where it would later drop stage two and stage three files. Stage two deploys “WifiAnalyticsServ.app”, which loads a persistence agent “wifianalyticsagent”, finally moving to stage three’s “WiFiCloudWidget”, pulled from “market.contradecapital[.]com” C2.

That Coinbase job offer could actually be North Korean hackers>FBI says North Korean Lazarus group was behind huge crypto theft>Here are the best antivirus tools right now

Sentinel One wasn’t able to obtain a copy of the malware for analysis, given that the server was offline at the time of the investigation.

What it did discover, is that the attackers don’t expect the campaign to last very long.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets,” Sentinel One said.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet