Microsoft has issued a warning about fake skills assessment portals being used in social engineering campaigns by a North Korean hacking group known as Sapphire Sleet.
Sapphire Sleet, which is part of the notorious Lazarus Group, has a history of stealing cryptocurrencies through scams and phishing attempts. The group typically finds targets on LinkedIn and initiates contact using lures related to skills assessments.
According to a series of posts on X, Microsoft, Sapphire Sleet has recently established new portals that impersonate recruiting and skills testing sites. The fake websites require users to register for an account, enabling the hackers to gather sensitive personal information and credentials.
Several malicious domains and subdomains host these websites, which entice recruiters to register for an account. The websites are password-protected to impede analysis. These domains are blocked by Microsoft Defender SmartScreen and Network Protection.— Microsoft Threat Intelligence (@MsftSecIntel) November 8, 2023
The sites are hosted on malicious domains and are password-protected to avoid analysis. Microsoft has already blocked many of the known domains being used in these campaigns.
Microsoft believes the shift to fake skills assessment portals may indicates Sapphire Sleet has changed direction due to the quick detection and take-down of their previous malicious attachments and links.
Sapphire Sleet is now specifically targeting LinkedIn users based on their expertise and experience. The initial outreach contains links to the fraudulent sites disguised as legitimate skills tests.
Microsoft advises LinkedIn users, especially those in IT and recruiting roles, to be cautious of unsolicited messages containing links or skill assessment offers. Users should verify the authenticity of any websites before providing login credentials or sensitive information.
Lazarus, also known as Hidden Cobra, became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un. It is believed to be closely connected to the North Korean government.
Later the group turned its attention to cryptocurrency thefts, and was thought to have stolen roughly $400 million in cryptocurrency in 2021.
It is also blamed for the Ronin hack in March 2022, which resulted in the theft of more than $600 million in ethereum and USDC stablecoins.