FlagThis - #cryptosecurity

A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.


References :

• : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
• www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
• Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
• Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
• The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Classification:

• HashTags: #ClickFake #Lazarus #Backdoor
• Company: Secoia
• Target: job seekers
• Attacker: Lazarus
• Product: interview
• Feature: fake interviews
• Malware: GolangGhost
• Type: Espionage
• Severity: Major

The Lazarus Group, a North Korean hacking organization, has reportedly laundered 100% of the $1.4 billion stolen from the Bybit cryptocurrency exchange. This information was initially reported by The Record and other cybersecurity news outlets. The stolen funds, in the form of Ethereum (ETH), were moved to new addresses, which is the first step in laundering cryptocurrency.

This rapid laundering of such a large sum indicates a high level of operational efficiency by the North Korean hackers. Ari Redbord, a former federal prosecutor and senior Treasury official, described this event as showing “unprecedented level of operational efficiency.” He also suggested that North Korea has expanded its money laundering infrastructure or that underground financial networks, especially in China, have improved their ability to handle illicit funds. This situation underscores the increasing sophistication of North Korea's cybercrime activities and their ability to quickly process stolen cryptocurrency.


References :

• infosec.exchange: NEW: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
• Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
• Resources-2: FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist
• : North Korea Targeting Crypto Industry, Says FBI
• fortune.com: How North Korea cracked Bybit’s crypto safe to steal $1.5 billion in a record heist
• Kaspersky official blog: How to store cryptocurrency after the Bybit hack | Kaspersky official blog

Classification:

• HashTags: #CryptoTheft #LazarusGroup #MoneyLaundering
• Company: Bybit
• Target: Bybit Cryptocurrency Exchange
• Attacker: Lazarus Group
• Product: Bybit
• Feature: Money Laundering
• Type: Crypto
• Severity: Major