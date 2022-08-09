Lazarus has become one of the main hacker groups in North Korea that has many users in fear due to the many attacks they have carried out since at least 2009. Now this group has gained prominence again by use a new social engineering campaign posing as Coinbase employees to deceive potential applicants for a job like this.

Social engineering tries to deceive a specific user by exploiting a need, such as a job search. And the fact is that this strategy specifically involves get on LinkedIn as Coinbase CEOs and get a job offer. In this way, it will be possible to have a conversation with possible employees of the fintech industry (economic and technological).

An attack camouflaged in a PDF to aspire to a job at Coinbase

Coinbase is known by all to be one of the most used cryptocurrency exchange platforms worldwide. This makes a job offer with this company really attractive, being precisely what they are exploiting from North Korea. Specifically, through LinkedIn they try to target candidates to be responsible for engineering, as researcher Hossein Jazi has pointed out.





The ultimate goal is through send a PDF file to potential candidates with the conditions of the job offer to enter Coinbase. But what the interviewees are really downloading is a malicious file with a PDF icon that is a simple decoy to later install a malicious DLL.

Once it finishes executing (when opening the alleged PDF file) GitHub is used as a server to download all necessary commands that will definitively infect the computer and extract all the necessary information for it.

The computer group specifically persecutes those people who have some type of investment in cryptocurrencies or are in the NFT market. This is something that already happened at Axie Infinity thanks to the fact that an engineer from the company had received this PDF file on behalf of Coinbase. At the time of executing it the engineer’s computer was also infected, beginning to spread throughout the company. This made it possible to steal millions of dollars in virtual currencies, being an attack that must be taken into account.

