Lazarus Masquerades as Crypto[.]com in Updated Job Offer Campaign

Category: Threat Actor Activity | Industry: Financial - Cryptocurrency | Level: Strategic | Source: SentinelOne

North Korean threat group, Lazarus has continually used reputable names in their "Operation Dream Job" phishing campaigns to lure victims into fictitious vacant job positions. Their most recent activity has observed the group masquerading as cryptocurrency exchange Crypto[.]com. Discovered by SentinelOne, Lazarus's "Operation In(ter)ception" has specifically targeted users in the cryptocurrency space with the goal to steal cryptocurrency and/or digital assets of value. Starting in August 2022, Lazarus added macOS malware into their arsenal along with its distributed Windows malware. The infection involves the fictitious job posting delivered as a PDF document, when executed a folder is created in the user's Library directory where the stage 2 and stage 3 payloads will be dropped. The "WifiAnalyticsServ.app" will establish persistence with an agent (wifianalyticsagent) which will also connect to the attacker's command and control (C2) to download the final payload. Unfortunately, the threat actor's C2 was offline halting further analysis of the infection chain and final payload. The low effort put forth by the threat actor's code suggests the campaign is a short-lived operation. "The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets." Lazarus will likely impersonate more cryptocurrency providers in the future as they utilized Coinbase and now Crypto[.]com. Users in the cryptocurrency space are encouraged to be vigilant against unsolicited job offers through email and social media channels.

‍