Researchers at SentinelOne have warned that North Korea’s Lazarus Group is using phony Crypto.com job offers to distribute macOS malware. The researchers aren’t sure how the lures are being distributed, but they suspect the attackers are sending spear phishing messages on LinkedIn. SentinelOne notes that this campaign “appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.”
“Back in August,” SentinelOne’s report says, “researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com.
”The campaign seems to represent a kind of twofer for Pyongyang. On the one hand, it’s intended to enable cryptocurrency theft, and this is desirable as a way of redressing North Korea’s chronic shortage of funds, driven by decades of sanctions and isolation. On the other hand, it’s also useful for espionage. They’re interested in prospecting both users and employees of cryptocurrency exchanges. There’s continuity with earlier efforts that targeted cryptocurrency exchanges, notably 2018’s AppleJeus campaign.
We’ve seen this kind of thing before. Note in particular the abuse of generally trusted platforms like LinkedIn that cater to professionals and the advancement of their careers. New-school security awareness training can teach your employees to recognize phishing and other social engineering attacks. The world of cryptocurrency may not (quite) be the Wild West, but it’s not a safe corner of cyberspace, either.