Ethical Hacking News
The Lazarus Group has employed a new tactic called ClickFix to deceive job seekers in the cryptocurrency sector, targeting managerial positions with a range of fake job offers. This latest campaign marks a significant expansion of their operations beyond the United States and Europe, with North Korean nationals posing as legitimate remote workers to infiltrate companies.
The Lazarus Group has employed a new social engineering tactic called ClickFix to deceive job seekers in the cryptocurrency sector. The group targets legitimate job interview websites, luring victims into installing Windows and macOS backdoors with a fake video interviewing service named Willo. Victims are prompted to enable their camera or microphone, where an error message appears indicating they need to download a driver to fix the issue. The instructions provided to the victim vary depending on the operating system used, leading to different backdoor installations. FROSTYFERRET is a stealer module that exfiltrates user data, including passwords and system information, to a Dropbox location. GolangGhost facilitates remote control and data theft through commands for file upload/download, host information collection, and web browser data theft. The Lazarus Group's use of ClickFix marks a shift in their target from traditional tech sectors to managerial positions focused on business development, asset management, etc. North Korean nationals pose as legitimate remote workers to infiltrate companies, generating illicit revenue for Pyongyang in violation of international sanctions.
The Lazarus Group, a notorious North Korean threat actor attributed to the Reconnaissance General Bureau (RGB) of the Democratic People's Republic of Korea (DPRK), has recently employed a sophisticated social engineering tactic known as ClickFix to deceive job seekers in the cryptocurrency sector. This new campaign, codenamed ClickFake Interview by French cybersecurity company Sekoia, is a continuation of the Contagious Interview operation, which was first publicly documented in late 2023.
According to Sekoia researchers Amaury G., Coline Chavane, and Felix Aimâ, the Lazarus Group targets legitimate job interview websites to lure victims into installing Windows and macOS backdoors. The ClickFix tactic involves creating a fake video interviewing service named Willo, which appears to be a legitimate platform for assessing candidates. However, upon completing the video assessment, the victim is prompted to enable their camera or microphone, whereupon an error message appears indicating that they need to download a driver to fix the issue.
The instructions provided to the victim vary depending on the operating system used. On Windows, the targets are asked to open Command Prompt and execute a curl command to run a Visual Basic Script (VBS) file, which then launches a batch script to run GolangGhost. In contrast, macOS users are prompted to launch the Terminal app and run a curl command to run a shell script, followed by a second shell script that executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert) and the backdoor.
FROSTYFERRET displays a fake window stating that the Chrome web browser needs access to the user's camera or microphone, after which it prompts the victim to enter their system password. The entered information, regardless of its validity, is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.
GolangGhost is engineered to facilitate remote control and data theft through several commands that allow it to upload/download files, send host information, and steal web browser data. The malware was first discovered in conjunction with the FERRET malware family, which was previously disclosed by security researcher Taylor Monahan towards the end of 2024.
The Lazarus Group's use of the ClickFix tactic marks a significant departure from their previous campaigns, which mainly targeted developers and software engineers. Instead, this operation targets managerial positions focused on business development, asset management, product development, or decentralized finance specialists. This shift in target suggests that the group is expanding its reach beyond traditional tech sectors to infiltrate more prominent organizations.
Google Threat Intelligence Group (GTIG) has observed a surge in the fraudulent IT worker scheme in Europe, underscoring a significant expansion of their operations beyond the United States. North Korean nationals pose as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in violation of international sanctions.
The IT worker activity entails various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, and blockchain technology, often falsifying their identities and claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. This global expansion of IT worker operations has been instigated by increased awareness of the activity, coupled with U.S. Justice Department indictments.
In conclusion, the Lazarus Group's latest deceptive scheme using ClickFix malware highlights their continued innovation and adaptability in the cyber threat landscape. As the threat actor group continues to evolve, it is essential for organizations to remain vigilant and implement robust security measures to protect themselves against such sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Lazarus-Groups-Latest-Deceptive-Scheme-Targeting-Job-Seekers-with-ClickFix-Malware-ehn.shtml
https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html
https://www.bleepingcomputer.com/news/security/north-korean-hackers-adopt-clickfix-attacks-to-target-crypto-firms/
https://thesecmaster.com/blog/apt-c-26-or-lazarus-group
https://en.wikipedia.org/wiki/Lazarus_Group
Published: Thu Apr 3 09:33:08 2025 by llama3.2 3B Q4_K_M
