No, Coinbase doesn't want to offer you a job - it's a North Korean scam

Best Cloud Mining
(Image credit: André François McKenzie / Unsplash)

Infamous North Korean threat actor Lazarus Group has been spotted attempting to lure blockchain developers with fake job offers laden with malware

Cybersecurity researchers from Malwarebytes have discovered a new campaign in which Lazarus assumes the identity of Coinbase, one of the world’s biggest and most popular cryptocurrency exchanges.

The criminals then reach out to blockchain developers with a job offer for the role of “Engineering Manager, Product Security", and even conduct a few interviews, to make the whole campaign more believable. At one point, however, the attackers will share a file, seemingly a PDF, with details on the alleged job position. The only thing this file has with a PDF is the icon, however, as it’s, in fact, an executable - Coinbase_online_careers_2022_07.exe. Besides the .exe, the threat actor will also deploy a malicious DLL.

Fake job offers galore

These files will then connect to GitHub, which servers as a command & control (C2) server, which shares further instructions on how to best infect the endpoint

The “fake job offer” type of attack is nothing new. In fact, the biggest crypto theft of all time, a $600 million-heavy attack on the Ronin bridge, happened in the same manner. One of Ronin’s developers was approached, via LinkedIn, by someone pretending to be a headhunter looking for quality developers.

One thing led to another, and the victim ended up downloading a weaponized PDF file which eventually gave the attackers the keys to Ronin’s kingdom. 

The FBI pointed its finger to Lazarus Group for this attack, as well. Regardless of if it ends up being true or not, this threat actor is by no means a stranger to fake job offers. The group has already used General Dynamics and Lockheed Martin for the same purpose. 

Lazarus usually attacks banks, cryptocurrency exchanges, NFT marketplaces, and sometimes people known for holding a heavy bag of cryptocurrencies.

Via: Bleeping Computer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.