Author

Topic: Lazarus Group campaign targeting crypto thru LinkedIn (Read 206 times)

legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Deliberately resurfacing this thread to reflect that, fast forwarding 2 years since the depicted events in the OP, Lazarus seems to still use the same conceptual approach to infiltrate malware/spyware in crypto companies.

The article referenced below depicts how they are not targeting crypto company employees with alleged job offers from Coinbase, and lately from Crypto.com. The offer is sent to them from within LinkedIn as a direct message. The message seemingly contains a pdf with a job offer from one of these mentioned companies, albeit it really being a macOS binary guised as a pdf with the offer.


On this occasion, the bait affects users with a different OS (macOS) than the one mentioned in the OP, and alongside a fake offer, the binary installs the malware goodies it brings, allegedly aimed at stealing crypto, nfts, or perform espionage within the recipients company.

See: https://www.bleepingcomputer.com/news/security/lazarus-hackers-drop-macos-malware-via-cryptocom-job-offers/
hero member
Activity: 2800
Merit: 595
https://www.betcoin.ag

I do have a profile there amnd receives a lot of messages but never really opened most of them. There are more spammers in linkedin than on facebook actually [..snip..]

That is weird if there are more spammers in LinkedIn since this is a niche (professionals). I've look for their blogs and this is what I found out on how to protect your privacy in your LinkedIn Account.

https://blog.linkedin.com/2014/01/28/data-privacy-day-5-ways-to-protect-your-linkedin-account

Nothing is really read there unless you got to a particular linkedin groups and data privacy will still not protect anyone.

I'm in linkedin to also promote my affilaite link which is why I added lots of people in my network and its easy to do this. Linkedin wouldn't mind if you add tons of people all day actually.  By adding users on my network, I get them to check my profile where the link of the product I promote. For awhile I thought this strategy works but its not. Most of the linkedin users are just attempting to impress through their educational background and so forth in the end, they are the ones selling you something.
full member
Activity: 924
Merit: 221
Emails too could do. There are thousands of email being sent just to scam others. And there are no exemption to this you may be professional or not.

In our place I think only few people are using linkedin and it is not too familiar. Linkedin is also like a social media platform where updates to current events are being posted. However, most of the people know about facebook than Linkedin.

The most dangerous attack on scamming would be probably on facebook.and twitter. This sovial media are always used as a medium.for scamming that also includes youtube.
legendary
Activity: 2450
Merit: 1047
The management should start deleting fake profiles and trace where these people are signing up, we know-how good LinkedIn reputation, and if they are not going to fix this, people will be leaving their platform, because this is a subscription-based platform and you do not pay just to get your account hacked, better clean up their platform.
hero member
Activity: 2870
Merit: 594
I guess the moral here is that if you are currently employed in any job that is crypto related, like a system administrator or a support, you better hide your employment history because the risk is really very high that you are going to be targeted as the weakest link. Just like what we have seen in the Twitter account recently.

Why will the person in question hide employment or appointment letter.
Does it have any effect, please explain categorically
So that can comprehend  it and put it as a working document to avoid any future hindrance via obstacles.
And employment opportunity.
If you read the attack vector, Lazarus group is scanning LinkedIn for someone that fits the description, a system admin working on crypto currency, it could be an exchange or could be working on a crypto related projects. So if you display in your profile that you are working in A crypto exchange as a sys ad or a support, then definitely the hackers are going to target you. And to avoid this, I say that it is better to hide your employment history to the likelihood and the risk that you are going to be a target is slim to null.
hero member
Activity: 2842
Merit: 772

I do have a profile there amnd receives a lot of messages but never really opened most of them. There are more spammers in linkedin than on facebook actually [..snip..]

That is weird if there are more spammers in LinkedIn since this is a niche (professionals). I've look for their blogs and this is what I found out on how to protect your privacy in your LinkedIn Account.

https://blog.linkedin.com/2014/01/28/data-privacy-day-5-ways-to-protect-your-linkedin-account
hero member
Activity: 2660
Merit: 551
I kept on receiving messages in my inbox requesting for job applications especially crypto related job but I sometimes asked myself how these set of people knew exactly that I'm a crypto enthusiast, then i knew exactly that the information to them was gotten from my profile save point. I don't just click on the URLs sent because I didn't authorize for such links so I find the nearest exist.
This incidence is a new hacking systems I think, every user should be strictly aware of this and never to click on unauthorized links.

Maybe they are trying to bait you into it that's why you are receiving such messages regardless if you are a crypto enthusiast or not. This could be a new hacking system, or we just really haven't heard that this kind of social platforms are also being targeted by scammers because it is a huge database that they can take advantage of. And what are the odds of someone clicking the click and getting hack and used their credentials to other sites.
hero member
Activity: 2800
Merit: 595
https://www.betcoin.ag

I do have a profile there amnd receives a lot of messages but never really opened most of them. There are more spammers in linkedin than on facebook actually which is why I don;t read the messages I get from strangers. Although there are some that is very convincing to be a real user yet eventually they will offer something later.

Most offers I've received are:

-Tokens in ICO
-Blockchain company looking for partners
-Token listing
sr. member
Activity: 1232
Merit: 379
I kept on receiving messages in my inbox requesting for job applications especially crypto related job but I sometimes asked myself how these set of people knew exactly that I'm a crypto enthusiast, then i knew exactly that the information to them was gotten from my profile save point. I don't just click on the URLs sent because I didn't authorize for such links so I find the nearest exist.
This incidence is a new hacking systems I think, every user should be strictly aware of this and never to click on unauthorized links.
hero member
Activity: 1498
Merit: 711
Enjoy 500% bonus + 70 FS
I guess the moral here is that if you are currently employed in any job that is crypto related, like a system administrator or a support, you better hide your employment history because the risk is really very high that you are going to be targeted as the weakest link. Just like what we have seen in the Twitter account recently.

Why will the person in question hide employment or appointment letter.
Does it have any effect, please explain categorically
So that can comprehend  it and put it as a working document to avoid any future hindrance via obstacles.
And employment opportunity.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
It seems like a more subtle and targeted version of prior backdoor campaigns that took place last year using LinkedIn as an initial touchpoint (see https://www.securityweek.com/backdoor-targets-us-companies-linkedin).

Since LinkedIn allows for document to be sent or shared within the platform (Documents - CSV, XLS, XLSX, DOC, DOCX, PPT, PPTX, PDF, TXT, HTML, HTM), these documents, once accessed are subject to the same issues you can have with any file with a macro/script that you decide to download and authorise, especially on MS office documents. LinkedIn here gives a credible context to the received document, and believing that anything within the platform is legit, may bypass people’s awareness, leading to the scripts to be enabled when accessing this type of document.

Not sure how much blame can be put on Linked-in, perhaps not that much, but at least there should be ample warnings within the platform to be wary of opening such type of documents, in addition to those provided by the MS Office documents themselves when enabling macros (I can’t recall seeing them, though I haven't checked for a while).
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
This stuff is only just beginning to warm up. Lord knows how creative nefarious types will be in future and people who sprayed their crypto presence across the internet when it was a quirky perversion rather than a juggernaut may live to regret it.
full member
Activity: 2324
Merit: 175
This is something new and a big alarm for those working in LINKED I am not active in LinkedIn I almost forgot that I have an account there, but Linkedin management should warn their users about this exploit or scheme, or they will lose their reputation, they must stop these hackers and scammers from infiltrating their platform.
hero member
Activity: 924
Merit: 520
Since this exploit attack vector have been recently discovered, we should expect to see more of these kinds and be vigilant to similar tactics that would likely be used by the these bad actors.

I just hope that everyone would be suspicious if ever they have received these kinds of files and take necessary precautions in order to avoid being compromised.

In this regard I also hope LinkedIn would also take necessary actions to protect its community from these kinds of attacks.
hero member
Activity: 2870
Merit: 594
I guess the moral here is that if you are currently employed in any job that is crypto related, like a system administrator or a support, you better hide your employment history because the risk is really very high that you are going to be targeted as the weakest link. Just like what we have seen in the Twitter account recently.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
So if you have a LinkedIn and received such malicious message, specially if it is shortened, don't ever click on the link and use your common sense here as you might fall victim to this group and lost your crypto assets in a blink of an eye.
You are very right, but even, if the link is shortened or not shortened, it is best not to click on links you do not authorize for, even if it has HTTPS with SSL cerrtificate. Also, not only on linkedin but also on any social media and other websites. Unknown links are generally risky, it can be the beginning of malware installation which can lead to wallet, exchange, bank details, 2fa, and many other sensitive information to be compromised on the device.

If impossible not to click on such links due to certain important reasons, then, do not store your sensitive data on the device used for such activities, make sure you still authorize for the links you click. Do not store your wallet and exchange accounts, 2fa app and the likes on the device as well.
legendary
Activity: 2506
Merit: 1394
I also have linked in but never tried to receive some messages like this, but thanks for this.

This is also very prone to some job seekers, especially for those newbies that is not so techy.
For past few months, I received some multiple job offers via LinkedIn messages, if they message me about hiring, I ask some full job description of the position hiring, some of them are giving you a link, some may contain external links for the job description (this could also be another way to attack their targets).
But of course, I am careful with these, and also I am checking their accounts first if they are something like legit or just a dummy accounts.
legendary
Activity: 2576
Merit: 1655
Lazarus group are now using LinkedIn - an online platform that connects every professionals around the world. I have a LinkedIn account myself, so I'm familiar on how it is being used. And so the hacking group Lazarus from North Korea are on the hunt using this platform for someone who is working on crypto like sys ad or probably even just a average joe like you and me that involves himself in crypto blockchain specially if it is written on your LinkedIn profile.

Quote
INITIAL ACCESS
F-Secure’s investigation revealed that a system administrator from the target organization received a phishing document via their personal LinkedIn account. The document masqueraded as a legitimate job advert for a role in a blockchain technology company that matched the employee’s skills.



https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf

So if you have a LinkedIn and received such malicious message, specially if it is shortened, don't ever click on the link and use your common sense here as you might fall victim to this group and lost your crypto assets in a blink of an eye.
Jump to: