The financially-motivated threat actor BlueNoroff, a subgroup of the notorious Lazarus APT, has been actively targeting the cryptocurrency industry with sophisticated social engineering campaigns. These operations, named “GhostHire” and “GhostCall,” are designed to infiltrate crypto startups, venture capital firms, and banks to steal digital assets through elaborate deception. The group’s methods demonstrate a deep understanding of corporate communication and recruitment processes to exploit human trust.

The ‘GhostHire’ Deception: Fake Job Offers

In the GhostHire campaign, BlueNoroff operatives create highly convincing fake profiles on professional networking platforms like LinkedIn. They impersonate executives and HR managers from established venture capital firms to approach employees at targeted cryptocurrency companies. The attackers engage their targets with enticing but fraudulent job offers, building trust over an extended period. The final stage of this scheme involves sending the victim a malicious document, often disguised as a skills assessment or employment contract. This document, typically a password-protected archive, contains malware. Opening the file triggers an infection, giving the attackers a backdoor into the company’s network to conduct surveillance and prepare for financial theft.

‘GhostCall’: A New, Direct Attack Vector

The more recent “GhostCall” campaign demonstrates an evolution in BlueNoroff’s tactics. This method involves direct contact with targets via VoIP calls, bypassing email gateways. The attackers identify and research individuals at crypto startups, then impersonate representatives from real or fabricated companies to present a seemingly legitimate business opportunity or investment deal. During these conversations, they persuade the victim to install a specific software application required to view a contract or proceed with the deal. This application is, in reality, a malware downloader that fetches additional malicious payloads. This direct approach relies heavily on social engineering to achieve its objective of compromising the target’s system for eventual cryptocurrency theft.

Both campaigns highlight BlueNoroff’s persistent focus on the lucrative cryptocurrency sector, employing patient and well-researched social engineering tactics to achieve their financial goals.

Source: https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/