According to a report by the Finnish cyber security and privacy firm, F-Secure, the latest Lazarus attack was made through a crypto-related job advert on the site. Their investigation indicated that an individual working in the Blockchain space received a phishing message that mimicked a legitimate Blockchain job listing.
The message included an MS Word document titled “BlockVerify Group Job Description,” which executed malicious macro code when opened.
F-Secure found that the document shares the same names, authors, and word count elements as publicly available code from major internet security website, VirusTotal. According to data by VirusTotal, the original malicious macro was created in 2019, with 37 antivirus engines having reported it.
“The purpose of the malware was mainly to fetch login credentials and provide access to the victim’s network, eventually to reach the system required to steal the cryptocurrency,” an F-Secure representative said.
In the report, F-Secure outlined that the Lazarus group’s interests reportedly align with those of the government of the Democratic People's Republic of Korea, or DPRK. According to the cybersecurity firm, DPRK’s cyber operations will likely target organizations and companies in verticals outside the crypto industry as well.
The Lazarus group is well known for multiple attacks on the crypto industry. Earlier this year, the hacker group reportedly deployed a series of new viruses to steal crypto from Mac and Windows users. Lazarus was also allegedly involved in stealing nearly $600 million worth of crypto between 2017 and 2018. The amount may have accounted for nearly 65% of the total crypto stolen during the period.
The latest news comes amid a report by the United States Army claiming that North Korea now has more than 6,000 hackers dedicated to crypto and related cybercrimes.