Specialists from F-Secure discovered a phishing campaign in which criminals from the Lazarus Group (also known as the APT38), using a fake vacancy announcement from Linkedin, tricked the system administrator of the cryptocurrency organization.
The attackers used the bait of the General Data Protection Regulation (GDPR) to deceive the victim.
A malicious campaign by North Korean criminals targeted cryptocurrency organizations in the United Kingdom, the United States, the Netherlands, Germany, Singapore, Japan, and at least eight other countries.
The attackers used a malware file that was sent as an attachment to a Linkedin message and encouraged the system administrator to open it for detailed information about new interesting work.
The malware version of the document was allegedly protected by GDPR. The malware files downloaded after running the macro resembled the previous APT38 tools.
«Lazarus Group has made considerable efforts to bypass the protection of the target organization during the attack, for example by disabling anti-virus software on compromised nodes and by disguising the presence of malicious implants», experts explained.