Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
GhostHire and GhostCall: How BlueNoroff APT Uses Fake Jobs to Steal Crypto
Advertisements

The financially-motivated threat actor BlueNoroff, a subgroup of the notorious Lazarus APT, has been actively targeting the cryptocurrency industry with sophisticated social engineering campaigns. These operations, named “GhostHire” and “GhostCall,” are designed to infiltrate crypto startups, venture capital firms, and banks to steal digital assets through elaborate deception. The group’s methods demonstrate a deep understanding of corporate communication and recruitment processes to exploit human trust.

The ‘GhostHire’ Deception: Fake Job Offers

In the GhostHire campaign, BlueNoroff operatives create highly convincing fake profiles on professional networking platforms like LinkedIn. They impersonate executives and HR managers from established venture capital firms to approach employees at targeted cryptocurrency companies. The attackers engage their targets with enticing but fraudulent job offers, building trust over an extended period. The final stage of this scheme involves sending the victim a malicious document, often disguised as a skills assessment or employment contract. This document, typically a password-protected archive, contains malware. Opening the file triggers an infection, giving the attackers a backdoor into the company’s network to conduct surveillance and prepare for financial theft.

‘GhostCall’: A New, Direct Attack Vector

The more recent “GhostCall” campaign demonstrates an evolution in BlueNoroff’s tactics. This method involves direct contact with targets via VoIP calls, bypassing email gateways. The attackers identify and research individuals at crypto startups, then impersonate representatives from real or fabricated companies to present a seemingly legitimate business opportunity or investment deal. During these conversations, they persuade the victim to install a specific software application required to view a contract or proceed with the deal. This application is, in reality, a malware downloader that fetches additional malicious payloads. This direct approach relies heavily on social engineering to achieve its objective of compromising the target’s system for eventual cryptocurrency theft.

Both campaigns highlight BlueNoroff’s persistent focus on the lucrative cryptocurrency sector, employing patient and well-researched social engineering tactics to achieve their financial goals.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading