Fake Coinbase job offers are deployed by North Korean hackers, Lazarus, to entice fintech employees.
The notorious malicious hacking group, believed to be backed by the North Korean government, is now back in its operations to lure financial technology employees as victims of their malicious job offer.
Lazarus entices the given type of target in LinkedIn job offerings, promising much better compensation.
Fake Coinbase Job Offers
The well-known North Korean hacking group Lazarus has been found to be pretending to be Coinbase in order to target workers in the fintech industry.
The hacking group uses it to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.
Since they are using Coinbase, one of the world's most popular cryptocurrency platforms, Lazarus was able to lure in interest with the offer.
A Twitter user named Jazi posted a screenshot of the sample email that was sent by the actors.
The email states that Coinbase is looking for candidates that will thrive in a culture like theirs; people they can trust; people who can embrace feedback; and people excited to learn.
Additionally, it also said, "We're a remote-first company looking to hire the absolute best talent all over the world."
According to BleepingComputer, Hossein Jazi is a security researcher at Malwarebytes. Since February 2022, he has been closely monitoring the activity of the Lazarus group.
The threat actors are impersonating Coinbase and attempting to recruit people for the position of "Engineering Manager, Product Security." The actors also highlighted in their email a few skill sets they are looking for the candidates to have.
Bleeping Computer stated, "Lazarus follows similar tactics and methods to infect their targets with malware, and the individual phishing campaigns feature infrastructure overlaps."
The hackers target their victims to download the pdf file for the job description titled, "Coinbase_online_careers_2022_07.exe." After that, the victims will unknowingly download a malicious executable file. The PDF file serves as a mask while loading a malicious DLL.
Once it is turned on, the malware will use GitHub as a command and control server to get instructions about what to do on the device it has infected.
The Axie Infinity Hack by Lazarus
This fake job offering tactics used by malicious actors to breach organizations and companies has been observed.
Back in March, one of the most popular play-to-earn blockchain games, Axie Infinity, was also hacked using the same strategy.
As previously reported in iTechPost, the breach was found by the Sky Mavis team on March 29, 2022. The hacking group made contact with employees at Sky Mavis by posing as a company that was looking to hire people on LinkedIn.
Due to the extraordinarily attractive pay, one of the senior engineers that was previously employed by Axie Infinity expressed interest in the fake employment offer.
Following a lengthy process consisting of a series of interviews, the applicant for the position was presented with a PDF file that detailed information surrounding the project.
After downloading and opening the file, the document then launched its malicious operations to get into the system of Axie Infinity and paved the way to launch the breach.
The cryptocurrency play-to-earn game lost multiple Ethereum tokens, resulting in a massive $620 million loss of crypto.
Just like the malicious fake job offerings that are allegedly from Coinbase, the threat group behind the Axie Infinity attack, as discovered by the FBI, is also the Lazarus group.