The infamous North Korean cyber espionage group, Lazarus, has launched a new campaign dubbed “ClickFake Interview,” targeting job seekers in the cryptocurrency industry.
Leveraging fake job interview websites, the operation deploys a Go-based malware called GolangGhost, infecting both Windows and macOS systems.
This campaign is a continuation of Lazarus’ previous “Contagious Interview” efforts but introduces enhanced tactics to evade detection.
Fake Websites and Malware Deployment
The ClickFake Interview campaign begins with fraudulent job offers shared via social media platforms.
Victims are directed to fake interview websites built using ReactJS, which mimic legitimate hiring processes.
These sites prompt users to fill out forms, answer cryptocurrency-related questions, and enable their cameras for interviews.
At this stage, an error message appears, urging users to download drivers or software this is where the malicious payload is delivered.
For Windows users, a Visual Basic Script (VBS) downloads and executes the GolangGhost backdoor via NodeJS.
On macOS, a Bash script installs malicious components and executes FrostyFerret a stealer designed to exfiltrate system passwords before launching GolangGhost.
According to the Report, this malware enables remote control of the infected system and steals sensitive data, including browser information.
Technical Sophistication of GolangGhost
GolangGhost is an interpreted Go backdoor capable of executing commands such as file uploads/downloads, shell commands, and browser data theft.
It communicates with a hardcoded Command-and-Control (C2) server using encrypted HTTP POST requests.
The malware ensures persistence by generating unique identifiers for each victim and maintaining control through registry entries or plist files on macOS.
The infection chain varies by operating system but ultimately leads to the installation of GolangGhost.
On macOS systems, FrostyFerret plays a critical role in obtaining user credentials by mimicking native UI prompts for system passwords.
Unlike previous campaigns that primarily targeted software developers and engineers, ClickFake Interview focuses on employees with limited technical expertise in centralized finance (CeFi) entities.
This strategic shift aligns with Lazarus’ goal of exploiting cryptocurrency platforms for financial gain.
The campaign reflects a broader trend observed in 2024, where DPRK-linked threat actors increasingly targeted CeFi over decentralized finance (DeFi).
The ClickFix tactic employed in this campaign makes detection challenging due to its use of common tools like curl.exe and powershell.exe in rapid succession.
However, cybersecurity analysts can identify suspicious activity by correlating these actions within short timeframes or monitoring registry changes related to command execution.
This campaign underscores the evolving sophistication of Lazarus’ tactics as they continue targeting cryptocurrency entities globally for financial gain.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
