North Korea’s Lazarus hacker group is currently trying to defraud people active in fintech and cryptocurrencies by impersonating a recruiter for Coinbase or other companies.
Lazarus is a group that has long been linked to the North Korean government. In its most recent campaign, people from the group impersonate the cryptocurrency platform Coinbase and target people from the financial sector or with experience in cryptocurrencies.
The attack often starts via LinkedIn, where the victim is offered an engineer or security expert job. In addition, they are supposedly sent a PDF, but a Malwarebytes employee discovered in practice that it is an executable file (.exe) but with the icon of a PDF that seems to refer to a job.
The practice is not new. Previously, job offers on behalf of General Dynamics or Lockheed Martin have been made similar attempts.
According to Bleeping Computer, anyone who opens the file will still see a fake PDF, but a dangerous DLL file is also being loaded. Afterwards, it is possible to control the infected device remotely.
Lazarus or The Lazarus Group is best known to the general public for the Wannacry ransomware from 2017. However, the group is usually out for financial gain.