Intrusions involving the ClickFix technique have been deployed by North Korean hacking collective Lazarus Group against individuals looking to secure jobs in the cryptocurrency sector, especially in centralized finance, as part of an attack campaign that commenced last month, BleepingComputer reports.
Popular cryptocurrency firms, including Coinbase, Archblock, KuCoin Exchange, and Bybit, have been spoofed by Lazarus Group in remote job interview invitations redirecting to a convincing ReactJS-based website that triggers a fake driver issue allegedly hindering camera access once video recording is attempted, according to a Sekoia analysis. Such a warning is accompanied by instructions ordering targets to execute a curl command in either CMD or Terminal depending on their devices' operating system that would then be followed by compromise with the Go-based GolangGhost backdoor. Aside from executing file operations and shell commands, GolangGhost also enables the exfiltration of browsing history, cookies, and stored passwords, as well as system metadata, said Sekoia researchers, who urged increased vigilance to mitigate risks associated with the attack that has been ongoing alongside Lazarus' earlier Contagious Interview campaign.
