A new phishing campaign by the well-known North Korean group Lazarus has been discovered, in which hackers impersonate representatives of the Coinbase platform to attack employees of the fintech industry.
Cybercriminals use LinkedIn to offer victims jobs and pre-interviews using social engineering techniques. The members of the group are targeting candidates suitable for the position of “Product Safety Engineering Manager”. Malwarebytes security researcher Hossein Jazi first discovered the campaign and reported it on Twitter.
The victim is required to download the Job Information PDF file, which is a malicious executable file with a PDF icon. The file is called “Coinbase_online_careers_2022_07.exe” and when executed, it displays a PDF document and also downloads a malicious DLL.
Once launched, the malware uses GitHub as a Command and Control (C2) server to receive commands to execute on the infected device. At the moment there is no information about the victims and affected organizations.
Lazarus uses similar tactics and methods to infect its targets with malware, and the infrastructure of individual phishing campaigns overlaps. Running a Coinbase campaign only requires one person in the company to open the PDF and allow the hackers to gain initial access to the corporate network.
Previously, Lazarus carried out the largest hack in the history of decentralized finance and stole $625 million from the game Axie Infinity. The attackers managed to deceive one of the senior engineers of Sky Mavis (the developer of Axie Infinity) and infect his computer with malware that was embedded in a PDF file with an offer from a fictitious company.