The Lazarus Group, a North Korea-linked cybercriminal organization, has been attributed to a new attack campaign known as Operation 99. This campaign primarily targets software developers, especially those seeking freelance work in the Web3 and cryptocurrency fields. The attack begins with fake recruiters posing as legitimate professionals on platforms like LinkedIn, offering project tests and code reviews to attract developers. Once the victim engages, they are instructed to clone a malicious GitLab repository, which may seem harmless but contains malware. The malware connects to command-and-control (C2) servers and infiltrates the victim’s environment, leading to significant data theft.
The global impact of Operation 99 has been substantial
The global impact of Operation 99 has been substantial, with victims primarily located in Italy, but also affecting individuals in various countries including Argentina, Brazil, France, Germany, and the U.S. The name “Operation 99” refers to malicious artifacts used in the campaign, with version identifiers marked as “pay99.” These sophisticated tactics are a continuation of the Lazarus Group’s previous job-themed cyber campaigns, such as Operation Dream Job. The group’s ability to craft highly convincing recruitment schemes, leveraging AI-generated profiles and realistic communication techniques, makes it particularly effective against developers and IT professionals.
The ultimate objective of the operation is to deploy data-stealing implants capable of exfiltrating source code, secrets, and cryptocurrency wallet keys from victims. These implants include various payloads such as Main5346, which collects system data and establishes persistent connections to C2 servers, as well as Brow99, which is designed to steal credentials from web browsers. Another payload, MCLIP, monitors and exfiltrates keyboard and clipboard activity in real-time, further facilitating the theft of sensitive information. By compromising developers, the attackers gain access to intellectual property and cryptocurrency wallets, which can lead to substantial financial theft.
Operation 99 is notable for its use of modular malware that can operate across multiple operating systems, including Windows, macOS, and Linux. This versatility highlights the Lazarus Group’s continued evolution and adaptability in cyberattacks. For North Korea, cybercrime is an essential revenue-generating tool, with the Lazarus Group funneling stolen cryptocurrency to fund the regime’s activities. As the Web3 and cryptocurrency industries continue to expand, the group’s focus on these sectors underscores their increasing importance as targets for financially motivated cyberattacks.
