A hacker group known as Lazarus, allegedly backed by North Korea, could be targeting firms in the crypto and blockchain sectors through LinkedIn, cyber security firm F-Secure said in a press release on 25 August.
According to the report published by the Finnish firm, the latest phishing attack made by Lazarus was through a crypto-related job offering on the Linkedln social network. The group used the platform to send a message to a systems administrator at a crypto firm, bearing a fake job offer document, which once downloaded, enabled the hackers to get in through the back door.
F-secure’s Director of Detection and Response, Matt Lawrence, said:
“Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident.”
The MS Word document, titled “BlockVerify Group Job Description, would execute a malicious macro code when opened. Once the group had access, it used backdoor network implants and malware to target, and extract, any crypto wallet information and bank account details they could find. It also appears that the attack, which was carried out in 2019, is part of a bigger campaign.
“The evidence also suggests this is part of an ongoing campaign targeting organizations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks.”
Allegedly connected to the Democratic People’s Republic of Korea (DPRK), the hacker group is well known in the crypto space. Earlier this year, cyber security firm Kaspersky released a report claiming that the group had doubled down on its efforts to infect Mac and Windows users, using a modified malware. The group was also allegedly involved in the theft of nearly $600 million in crypto between 2017 and 2018.