A new report from Group-IB highlights an ongoing campaign by the North Korean group Lazarus, known as the “Eager Crypto Beavers” campaign. The group uses sophisticated tactics such as fake job offers and malicious video conferencing applications to distribute malware.
According to a new report from Group-IB, the North Korean government-backed Lazarus Group is stepping up its financially motivated cybercrime campaigns. Dubbed “Eager Crypto Beavers,” the ongoing campaign is using increasingly sophisticated tactics to target blockchain professionals and developers.
The Contagious Interview Campaign
Researchers observed a campaign called “Contagious Interview,” in which victims are lured with fake job offers. Job seekers are tricked into downloading and running a malicious Node.js project that contains a malware variant called “BeaverTail.” BeaverTail then deploys a Python backdoor known as “InvisibleFerret,” which ultimately steals sensitive data.
Hackers have expanded their attack methods by using fraudulent video conferencing applications such as “FCCCall” to mimic legitimate platforms. These applications are distributed via cloned websites and serve as a delivery mechanism for the BeaverTail malware.
In the latest Group-IB report shared with Hackread.com, the company revealed that the Lazarus group’s new attack tactics include job portals like WWR, Moonlight, and Upwork, in addition to LinkedIn.
Additionally, by using platforms like Telegram, the group further manipulates its victims. Lazarus has also injected malicious JavaScript into gaming and cryptocurrency projects on GitHub and is now distributing fraudulent video conferencing applications such as “FCCCall,” which mimic legitimate services to install malware like BeaverTail. Once installed on Windows, BeaverTail steals browser credentials and cryptocurrency wallet data before running another malware, InvisibleFerret.
It should be noted that the BeaverTail malware also targets macOS devices.
The group’s malware repositories contain obfuscated code that fetches additional threats from command-and-control (C2) servers, making detection difficult. Additionally, the Python version of BeaverTail and another tool, CivetQ, enable remote access via AnyDesk and provide persistence on Windows, macOS, and Linux systems.
Worse yet, Lazarus has expanded its data theft targets to include browser extensions, password managers, and even Microsoft Sticky Notes, exfiltrating stolen data via FTP and Telegram. Key indicators of compromise (IOCs) include C2 endpoints for malware downloads and unique file signatures.
Are you surprised? Don’t be!
The Lazarus Group, known for helping to fund the North Korean economy by stealing hundreds of millions of dollars through cyberattacks, is using new tactics. The shift is not surprising and is a clear reminder that cyberattacks pose a major threat to businesses and individuals alike.
This is why it is necessary to implement cybersecurity training in companies and schools. It is also necessary to remain vigilant and use common sense to avoid scams and offers that seem too good to be true.
RELATED TOPICS
- Federal authorities dismantle North Korean identity theft ring targeting U.S. companies
- Hackers Used Fake Job Site to Scam Unemployed US Veterans
- KnowBe4 was tricked into hiring North Korean hacker as IT professional
- Fake LinkedIn Job Post Spreads Backdoor More_eggs
- Fake GitHub repositories caught spreading malware as PoC AGAIN!
- Employee Tricked by AI-Generated CFO in $25.6 Million Deepfake Scam
- Fake PoC Script Tricked Researchers into Downloading VenomRAT
