The North Korean-backed Lazarus Group has been identified as the group behind a malicious campaign using fake LinkedIn job offers to distribute malware targeting Windows, macOS, and Linux systems. The attack begins with the recruitment of potential victims through fake job offers, promising remote work and flexible hours. After engaging the victim, the attacker requests personal information such as a CV or GitHub link, seemingly to assess the candidate’s qualifications. However, these requests are part of a larger strategy to gather personal data and lend an air of legitimacy to the scam, setting the stage for further exploitation.
Once the attacker gathers sufficient personal information, they direct the victim to a GitHub or Bitbucket repository containing a malicious script disguised as a minimum viable product for a decentralized exchange (DEX) project. This script, which is obfuscated, triggers the retrieval of a JavaScript information stealer capable of stealing cryptocurrency wallet data from the victim’s browser. The stealer then loads a Python-based backdoor that enables remote access, monitors clipboard content for valuable information, and drops additional malware onto the compromised system.
These actions are part of a broader effort to compromise the victim’s machine and harvest sensitive data.
The malware used in the attack is part of the larger Contagious Interview campaign, also known as DeceptiveDevelopment or DEV#POPPER. The infection chain deployed by Lazarus Group includes a mix of Python, JavaScript, and .NET-based tools that work in tandem to disable security features, establish persistence, and execute cryptocurrency miners. These multi-layered attack tools are designed to evade detection while exfiltrating data and maintaining control over the infected system. A key feature of the attack chain is its use of recursive Python scripts that decode and execute themselves, making it harder to trace and block.
Reports from LinkedIn and Reddit suggest the campaign is widespread, with minor variations in the attack methods. In some cases, victims are asked to clone a Web3 repository or fix bugs as part of the “interview” process. Despite the removal of some repositories from Bitbucket, the Lazarus Group continues to modify their attack chain, shifting repository names and recruiter profiles to stay one step ahead of security measures. Bitdefender’s research highlights the evolving nature of the Lazarus Group’s tactics, underscoring their ability to continuously adapt and refine their methods to maximize the success of their malicious campaigns.
