Tuesday, February 25, 2025

Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Marketing campaign

Feb 05, 2025Ravie LakshmananCryptocurrency / Information Breach

Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Marketing campaign

The North Korea-linked Lazarus Group has been linked to an energetic marketing campaign that leverages faux LinkedIn job provides within the cryptocurrency and journey sectors to ship malware able to infecting Home windows, macOS, and Linux working methods.

In response to cybersecurity firm Bitdefender, the rip-off begins with a message despatched on knowledgeable social media community, attractive them with the promise of distant work, part-time flexibility, and good pay.

“As soon as the goal expresses curiosity, the ‘hiring course of’ unfolds, with the scammer requesting a CV or perhaps a private GitHub repository hyperlink,” the Romanian agency mentioned in a report shared with The Hacker Information.

Cybersecurity

“Though seemingly harmless, these requests can serve nefarious functions, akin to harvesting private information or lending a veneer of legitimacy to the interplay.”

As soon as the requested particulars are obtained, the assault strikes to the subsequent stage the place the risk actor, below the guise of a recruiter, shares a hyperlink to a GitHub or Bitbucket repository containing a minimal viable product (MVP) model of a supposed decentralized change (DEX) undertaking and instructs the sufferer to test it out and supply their suggestions.

Current inside the code is an obfuscated script that is configured to retrieve a next-stage payload from api.npoint[.]io, a cross-platform JavaScript data stealer that is able to harvesting information from numerous cryptocurrency pockets extensions which may be put in on the sufferer’s browser.

The stealer additionally doubles up as a loader to retrieve a Python-based backdoor accountable for monitoring clipboard content material adjustments, sustaining persistent distant entry, and dropping extra malware.

At this stage, it is price noting that the ways documented by Bitdefender exhibit overlaps with a recognized assault exercise cluster dubbed Contagious Interview (aka DeceptiveDevelopment and DEV#POPPER), which is designed to drop a JavaScript stealer referred to as BeaverTail and Python implant known as InvisibleFerret.

The malware deployed by way of the Python malware is a .NET binary that may obtain and begin a TOR proxy server to speak with a command-and-control (C2) server, exfiltrate fundamental system data, and ship one other payload that, in flip, can siphon delicate information, log keystrokes, and launch a cryptocurrency miner.

“The risk actors’ an infection chain is advanced, containing malicious software program written in a number of programming languages and utilizing quite a lot of applied sciences, akin to multi-layered Python scripts that recursively decode and execute themselves, a JavaScript stealer that first harvests browser information earlier than pivoting to additional payloads, and .NET-based stagers able to disabling safety instruments, configuring a Tor proxy, and launching crypto miners,” Bitdefender mentioned.

Cybersecurity

There’s proof to counsel these efforts are fairly widespread, going by reviews shared on LinkedIn and Reddit, with minor tweaks to the general assault chain. In some instances, the candidates are requested to clone a Web3 repository and run it regionally as a part of an interview course of, whereas in others they’re instructed to repair deliberately launched bugs within the code.

One of many Bitbucket repositories in query refers to a undertaking named “miketoken_v2.” It’s now not accessible on the code internet hosting platform.

The disclosure comes a day after SentinelOne revealed that the Contagious Interview marketing campaign is getting used to ship one other malware codenamed FlexibleFerret.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.


Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles