The infamous Lazarus cyber threat group, famed for their record-breaking $1.5 billion ByBit crypto heist, has unleashed another attack against the crypto community. In their latest criminal campaign, dubbed ClickFake Interview, the gang is using fake job interviews to target cryptocurrency professionals.
Please, Take a Seat
The ClickFake Interview operation can be understood as the latest iteration of similar campaigns, such as the DeceptiveDevelopment and Contagious Interview attacks, also undertaken by Lazarus, involving phony job interviews for fictitious positions. In both attacks, candidates were duped into downloading and running BeaverTail downloader malware that delivers InvisibleFerret, a cross-platform Python backdoor equipped with remote control, keylogging, and browser-stealing capabilities.
In these latest ClickFake Interview attacks, Lazarus has evolved its social engineering tactics by implementing ClickFix into its new campaigns. Like the previously mentioned campaigns, candidates are lured to fake interview websites crafted using ReactJS, which contain dynamic content loaded from JavaScript files that replicate authentic interviews. When applicants are requested to enable their camera, a dialogue box appears during this ‘interview’ displaying a fake pop-up error message stating that access to a user’s camera or microphone is currently blocked. The message says that the problem can be remediated with a user action of downloading drivers.
Unresolved Issues
What happens next in the attack is contingent upon the operating system in use. Needless to say, the unresolved ‘issues’ don’t get resolved…
For macOS users, a Bash script named coremedia.sh downloads and extracts malicious files while creating a launch agent plist file for persistence then a stealer named FrostyFerret retrieves system passwords. Finally, Go malware designed for remote control and data theft, which Sekoia has coined GolangGhost, is deployed.
Windows users experience a different process in which a Visual Basic Script (VBS) downloads a NodeJS-based payload called nvidia.js that extracts malicious files. Persistence here is established via registry keys before GolangGhost is launched through a batch file.
Feedback
Roger Grimes, Data-driven Defence Evangelist at KnowBe4, provided expert insight into the scale of these ‘fake interview’ style operations. “There are currently tens of thousands of innocent people responding to fake employer ads, which will either end up harming themselves financially, harming their current employer, or both. This is a big, big problem that is aggravated because most victims, people and organisations, don’t want to talk about what happened. It allows the damage to be even more widespread.
Commenting on how the Lazarus group has pivoted into targeting non-technical roles with these scams, Dr Martin Kraemer, a Security Awareness Advocate also operating at KnowBe4, believes this approach will become the new normal. “The Lazarus group has developed the toolkit to target non-technical roles, and this capability will stay. In this case, script execution can be deactivated and deployment of the malware stopped. In any case, we must raise awareness of these types of threats, where a new job becomes the bait, and your employees turn into victims.”
Actionable Steps
One of the most concerning aspects of this style of ClickFake Interview is how, through targeting industries like crypto, prospective candidates in this field will most likely be less security-savvy than previously targeted sectors such as software developers and engineers. This makes these potential victims less likely to spot the signs of social engineering or even less likely to detect malicious commands. It is essential, therefore, that individuals in the cryptocurrency space stay vigilant as it is being targeted more frequently. Specifically, in relation to upcoming interviews, seek authentication through exploring official channels, and never click on links that aren’t from trusted sources.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.