Analysis Summary

The Lazarus Group, a North Korean state-sponsored hacking collective, has launched the ClickFake Interview campaign, targeting job seekers in the cryptocurrency industry. This attack leverages fake job interview websites built using ReactJS to deploy a Go-based backdoor called GolangGhost on Windows and macOS.

Victims are tricked into downloading malicious scripts under the pretense of installing drivers or fixing interview-related issues. The campaign builds upon the previous Contagious Interview operation, showcasing Lazarus’ evolving tactics and continued focus on infiltrating the cryptocurrency ecosystem for financial and intelligence-gathering purposes.

The infection chain differs based on the operating system. On Windows, a VBS script downloads a NodeJS-based payload (`nvidia.js`), which extracts malicious components, establishes persistence via registry keys, and launches GolangGhost using a batch file. On macOS, a Bash script (`coremedia.sh`) creates a launch agent plist file for persistence, deploying a stealer named FrostyFerret before GolangGhost to extract system credentials. The malware enables remote control, data theft, browser data extraction, and encrypted communication with C2 servers using RC4 encryption. GolangGhost ensures only a single instance runs at a time by storing unique identifiers in temporary files.

According to the Researcher, A key shift in this campaign is Lazarus’s focus on centralized finance (CeFi) platforms like Coinbase, Kraken, Bybit, and Robinhood. Unlike previous campaigns targeting decentralized finance (DeFi), this pivot aligns with North Korea’s growing interest in CeFi due to its reliance on intermediaries for transactions. Additionally, the group now targets non-technical roles such as business development managers and asset management professionals—individuals who may be less vigilant against cybersecurity threats, making them easier targets for social engineering attacks.

Detection strategies for this campaign involve monitoring unusual script execution patterns, registry modifications, and suspicious command-line activity. Tools like Sigma correlation rules or Sekoia Operating Language (SOL) queries can help identify anomalies, such as executions from temporary directories using processes like `curl.exe`, `powershell.exe`, and `wscript.exe`. The ClickFake Interview campaign underscores Lazarus’ increasing sophistication in targeting cryptocurrency entities, demonstrating their ability to refine attack techniques and strategically shift focus toward more lucrative targets while supporting North Korea’s financial and military ambitions.

Impact

• Sensitive Data Theft
• Gain Access
• Privilege Escalation

Indicators of Compromise

Domain Name

• assessiohq.com
• blockchainjobassessment.com
• coinbase-walet.biz
• evalassesso.com
• zenspiretech.com
• api.camdriverhub.cloud
• api.camdrivers.cloud
• api.vcamdriverupdate.cloud
• api.videodriverzone.cloud
• api.camera-drive.org
• api.drive-release.cloud

MD5

• a6296fa80cf09ac595a4304e2d07906f

SHA-256

• a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361

SHA-1

• 9e3ed0c7785c4fdb6c3bf3e2b22f829c12c38b0e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Encourage job seekers to verify interview links, domain authenticity, and recruiter profiles before engaging.
• Advise against downloading drivers or scripts during interviews and to report any suspicious prompts.
• Deploy Endpoint Detection & Response (EDR) solutions to monitor for suspicious script executions (VBS, Bash, NodeJS).
• Enforce application whitelisting to prevent unauthorized script execution.
• Use behavior-based detection to identify unusual script activity, such as running commands from temporary directories.
• Implement DNS filtering to block access to malicious fake interview domains.
• Monitor network traffic for C2 communications and detect encrypted traffic using RC4.
• Enforce multi-factor authentication (MFA) to protect sensitive accounts from credential theft.
• Restrict script execution policies on endpoints (e.g., PowerShell execution policy to restricted mode).
• Disable unnecessary scripting tools like wscript.exe and bash for non-administrative users.
• Limit user privileges to prevent malware from gaining elevated permissions.
• Regularly update operating systems, browsers, and security tools to mitigate vulnerabilities.
• Ensure antivirus and endpoint protection software signatures are up to date.