A new Group-IB report highlights an ongoing campaign by the North Korean Lazarus Group, known as the “Eager Crypto Beavers” campaign. This group employs sophisticated tactics such as fake job offers and malicious video conferencing applications to distribute malware.
The notorious North Koran government-backed Lazarus Group is stepping up its financially motivated cyber campaigns, according to a new report from Group-IB. Dubbed “Eager Crypto Beavers,” the ongoing campaign uses increasingly sophisticated tactics to target blockchain professionals and developers.
The Contagious Interview Campaign
Researchers have observed a campaign called “Contagious Interview,” where victims are lured with fake job offers. Job seekers are tricked into downloading and running a malicious Node.js project that contains a malware variant named “BeaverTail.” BeaverTail then deploys a Python backdoor known as “InvisibleFerret,” ultimately stealing sensitive data.
The threat actors have expanded their attack methods, using fraudulent video conferencing applications like “FCCCall” to mimic legitimate platforms. These applications are distributed through cloned websites and act as a delivery mechanism for BeaverTail malware.
In Group-IB’s latest report shared with Hackread.com, the company revealed that the Lazarus Group’s new attack tactics include job portals like WWR, Moonlight, and Upwork, in addition to LinkedIn.
Additionally, using platforms like Telegram, the group manipulates victims further. Lazarus has also injected malicious JavaScript into gaming and cryptocurrency projects on GitHub and is now distributing fraudulent video conferencing applications such as “FCCCall,” which mimics legitimate services to install malware like BeaverTail. Once installed on Windows, BeaverTail steals browser credentials and cryptocurrency wallet data before executing another malware, InvisibleFerret.
It is worth noting that the BeaverTail malware also targets macOS devices.
The group’s malicious repositories contain obfuscated code that fetches additional threats from command-and-control (C2) servers, making detection difficult. Moreover, BeaverTail’s Python version and another tool, CivetQ, enable remote access via AnyDesk and ensure persistence across Windows, macOS, and Linux systems.
What’s worse, Lazarus has expanded its data theft targets to include browser extensions, password managers, and even Microsoft Sticky Notes, exfiltrating stolen data through FTP and Telegram. Key indicators of compromise (IOCs) include C2 endpoints for malware downloads and unique file signatures.
Surprised? Don’t be!
The Lazarus Group, known for helping fund the North Korean economy by stealing hundreds of millions of dollars through cyberattacks, is using new tactics. This shift is not surprising and is a clear reminder that cyberattacks are a major threat to both companies and individuals.
Because of this, cybersecurity training should be required in businesses and schools. People should also stay alert and use common sense to avoid scams and offers that seem too good to be true.
RELATED TOPICS
- Feds Bust N. Korean Identity Theft Ring Targeting US Firms
- Hackers used fake job website to scam jobless US veterans
- KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro
- Fake LinkedIn job offers scam spreading More_eggs backdoor
- Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
- Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam
- Fake PoC Script Tricked Researchers into Downloading VenomRAT
