Lazarus, the North Korean government-funded hacking gang, continues to refine its tactics to fleece cryptocurrency giants. According to the findings of Sekoia researchers, the gang has now adopted a technique called ClickFix. This strategy, widely used by hackers of all stripes, relies on user manipulation. Cybercriminals must trick targets into perform dangerous actions themselves, allowing them to evade security systems.
In the case of the Lazarus attacks, job seekers in the crypto world will receive a message containing a document or a link to a website. These will display a fake warning indicating that a viewing problem has been encountered. To fix the bug, the user is invited to click on the alert and follow the instructions provided, which will result in the installation of viruses. This malware will then seize the targets' cryptocurrencies. The stolen bitcoins will then swell the North Korean government's coffers. Since 2017, North Korea has been using Lazarus to make fortunes.
Lazarus impersonates crypto platforms
To trap targets, Lazarus impersonates major players in the crypto industry, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit. By impersonating these companies, Lazarus hackers offer fake interviews to job seekers in the cryptocurrency world.
To contact job seekers, Lazarus uses emails or social media, such as X or LinkedIn. They then promote software projects or tool tests in development to convince the victim to download and install the virus. This is where the fake alert comes in and completes the hacking process. Obviously, Lazarus calibrates the documents sent based on the target and their skills.
This is why developers will receive software tests, versus simple invitations to online interviews for more marketing-oriented profiles. During the exchange, the hacker "expresses interest in a potential participant and suggests they visit a third-party website to engage in a brief remote interview to gather additional information." its subject».
An attack that has been ongoing for two years
When the victim tries to record a video with their webcam, a fake error message is displayed. It claims that a driver problem is blocking the camera and gives instructions to correct the problem. The new driver actually contains the malicious payload. To achieve its goals, the attack relies on malware called GolangGhost. Compatible with Windows and macOS, it is capable of taking control of a computer remotely, spying on the user's activities, or even installing other malicious tools. The campaign has been active for two years, but the number of compromise attempts is still high in the first quarter of 2025, with the emergence of the new ClickFix tactic.
Source: Sekoia
0 Comments