FlagThis - #lazarus

A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.


References :

• : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
• www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
• Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
• Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
• The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Classification:

• HashTags: #ClickFake #Lazarus #Backdoor
• Company: Secoia
• Target: job seekers
• Attacker: Lazarus
• Product: interview
• Feature: fake interviews
• Malware: GolangGhost
• Type: Espionage
• Severity: Major

Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.


References :

• bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
• BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
• Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
• gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
• Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
• Osint10x: Fake Zoom Ends in BlackSuit Ransomware
• securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
• bsky.app: Lazarus adopts ClickFix technique.
• : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
• BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.

Classification:

• HashTags: #Ransomware #BlackSuit #Malware
• Company: Multiple
• Target: Windows users
• Product: Zoom
• Feature: Fake Zoom installer
• Malware: BlackSuit Ransomware
• Type: Ransomware
• Severity: Disaster

The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.


References :

• The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
• BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
• bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
• The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
• socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
• securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
• hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
• Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
• www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
• securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
• Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
• Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
• securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
• Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access

Classification:

• HashTags: #supplychain #malware #npm
• Company: npm
• Target: Developers
• Attacker: Lazarus
• Product: npm packages
• Feature: supply chain compromise
• Malware: BeaverTail
• Type: Malware
• Severity: Major