New Lazarus Spear Phishing Attack Uses a LinkedIn Job Posting as Its Front

What better way to gain complete control over a crypto organization’s network than to target their sysadmin with a Job Posting and then spear phish them?

It’s a brilliant and elegant attack. The Lazarus group, formerly responsible for WannaCry, is jumping on the cryptocurrency-as-the-target bandwagon. We’ve seen prominent twitter accounts being hacked with crypto as the endgame, as well as recent vishing attacks on financial organizations to eventually gain access to high net worth customers’ cryptocurrency accounts.

According to security researchers at F-Secure, in this latest attack from Lazarus, a legitimate LinkedIn ad is posted looking for a sysadmin for a blockchain technology company. The ad targets current sysadmins at cryptocurrency orgs. Once a candidate sysadmin engages via the ad, they are sent a Word document as part of the process, complete with the claim that the document is protected under GDPR and requires macros to be enabled.

Once enabled, a series of malicious actions occur including the conducting of system checks and downloading system-specific malware payloads. Credential harvesting, deletion of security log entries, and lateral movement are all part of the attack.

Despite the sophistication of the attack, there is one common, non-technical element that determines whether this campaign works or not – the human.

The success or failure of this attack rests solely with the sysadmin; if they don’t fall for the macro enabling and realize this is probably a scam, the whole thing falls apart.

This is why I recommend that everyone – from the mailroom to the boardroom step through new-school security awareness training and educate employees on common tactics that are not just used, but often required as part of a phishing attack.