New Lazarus Group attack campaign sets sights on freelance software developers

Malware attacks involving fraudulent freelance job offers have been deployed by North Korean hacking collective Lazarus Group against Web3 and cryptocurrency software developers as part of the new global Operation 99 campaign, according to The Hacker News.

Threat actors impersonating recruiters on LinkedIn provide targeted software developers with project tests and code reviews that redirect to malicious GitLab repositories that facilitate the distribution of modular information-stealing malware compatible with Windows, macOS, and Linux systems, a report from SecurityScorecard showed. Injection with the Main5346 and Main99 downloaders enables the delivery of the Payload99/73 and Payload5346 malware with system data exfiltration, browser process termination, and arbitrary code execution capabilities, as well as the credential-stealing Brow99/73 and keyboard and clipboard tracking MCLIP payloads, noted SecurityScorecard Senior Vice President of Threat Research & Intelligence Ryan Sherstobitoff. "By compromising developer accounts, attackers not only exfiltrate intellectual property but also gain access to cryptocurrency wallets, enabling direct financial theft. The targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering the Lazarus Group's financial goals," noted SecurityScorecard.