Malware attacks involving fraudulent freelance job offers have been deployed by North Korean hacking collective Lazarus Group against Web3 and cryptocurrency software developers as part of the new global Operation 99 campaign, according to The Hacker News.
SecurityScorecard found that threat actors impersonating recruiters on LinkedIn provide targeted software developers with project tests and code reviews that redirect to malicious GitLab repositories that distribute modular information-stealing malware compatible with Windows, macOS, and Linux systems.
Ryan Sherstobitoff, senior vice president of threat research and intelligence at Security Scorecard, said the injection with the Main5346 and Main99 downloaders delivers the Payload99/73 and Payload5346 malware with system data exfiltration, browser process termination, and arbitrary code execution capabilities. It also delivers the credential-stealing Brow99/73 and keyboard and clipboard tracking MCLIP payloads.
"By compromising developer accounts, attackers not only exfiltrate intellectual property, but also gain access to cryptocurrency wallets, enabling direct financial theft," said Sherstobitoff. "The targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering the Lazarus Group's financial goals."
