Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
BlueNoroff’s GhostHire & GhostCall: Fake Crypto Jobs Lead to Real Theft
Advertisements

The BlueNoroff advanced persistent threat (APT) group, a financially-motivated division of the larger Lazarus entity, has been identified deploying sophisticated campaigns targeting the cryptocurrency industry. Using advanced social engineering, the group executes two primary operations, named ‘GhostHire’ and ‘GhostCall’, to infiltrate cryptocurrency startups, venture capital firms, and banks with the ultimate goal of stealing digital assets.

The GhostHire Deception: A Phantom Job Offer

Under the campaign name ‘GhostHire’, BlueNoroff operators create elaborate fake profiles on professional networking sites like LinkedIn. They impersonate human resources personnel from legitimate venture capital firms, such as Fenbushi Capital, to initiate contact with employees at targeted crypto startups. The attackers engage victims in a multi-stage hiring process, which can include online interviews and technical assignments, to establish credibility over time. The final stage involves sending the target a file, often disguised as a skill assessment or contract, which contains a malicious payload. This payload installs a backdoor, giving BlueNoroff persistent access to the victim’s machine and, consequently, their employer’s network.

GhostCall: The Bait of Venture Capital

In a parallel campaign dubbed ‘GhostCall’, the threat actor uses a different lure but with the same objective. Attackers pose as representatives from venture capital companies, contacting crypto startups with offers of funding or collaboration. The infection begins with an email containing a link to a password-protected document hosted on a legitimate cloud service, with the password provided in the email body. Upon opening the document and entering the password, a malicious script is executed, initiating a multi-stage infection chain. This process ultimately results in the deployment of a .NET-based backdoor, allowing the attackers to control the compromised system. BlueNoroff’s tactics involve using legitimate services like GitHub to host malware and employing a variety of file types, including LNK files and compiled HTML help files (.chm), to evade detection.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading