Watch out – that amazing job offer could actually just be a crypto-stealing scam, Microsoft warns
The BlueNoroff cybercrime campaign appears to be going from strength to strength after Microsoft spotted yet another criminal campaign that it attributed to the North Korean hackers.
Redmond’s security professionals recently discovered that BlueNoroff (part of the Lazarus Group’s advanced persistent threat, which it calls Sapphire Sleet) was posing as skills assessment portals and using them to steal people’s sensitive data or deliver malware to them let it download.
“Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skill assessment,” says the Microsoft Threat Intelligence team said on X. “The threat actor then moves successful communications with targets to other platforms.”
Spreading malware
BlueNoroff, but also Lazarus as a whole, is a threat actor that has been seen for years using fake job advertisements and targeting professionals in the cryptocurrency industry. With that in mind, the latest campaign, which includes skills assessment portals, is a “change in tactics from the persistent actor,” according to Microsoft.
Late last week, security researchers at Jamf warned about a new macOS malware called ObjCSellz, which was developed and distributed by BlueNoroff. It heavily overlaps with another macOS malware known as RustBucket.
Microsoft said BlueNoroff typically distributed malware by sending malicious attachments or embedded links to pages hosted on GitHub. However, Microsoft’s quick responses to remove these threats forced Sapphire Sleet to create a new network of websites used to spread the malware, the researchers claim.
“Several malicious domains and subdomains host these websites, enticing recruiters to register for an account,” the company added. “The websites are password protected to hinder analysis.”
The Lazarus Group is believed to be under the direct command of the North Korean government. The goals are not always the same, but usually involve stealing cryptocurrencies from targets in the West. The money, some sources say, is being used to support the government and build up the nuclear weapons program