Microsoft Alerts IT Job Seekers About Fraudulent Skills Assessment Websites
A sub-group within the notorious Lazarus Group has set up new infrastructure that mimics skills evaluation platforms for its social engineering campaigns. Microsoft has attributed this activity to a threat actor named Sapphire Sleet, characterizing this move as a change in the strategies of the persistent actor.
The notorious Lazarus Group, infamous for its cyber-espionage and cybercrime operations, has unveiled a new strategy in its social engineering playbook. As per Microsoft’s observations, a subset of this group, referred to as Sapphire Sleet, has been setting up bogus websites imitating skill assessment portals to dupe unsuspecting victims.
Renowned for its aliases such as APT38, BlueNoroff, CageyChameleon, and CryptoCore, Sapphire Sleet is known for its involvement in a series of cryptocurrency thefts achieved through cunning social engineering tactics. Recently, Jamf Threat Labs linked this group to the creation of ObjCShellz, a new type of macOS malware. This malware is believed to be a sophisticated payload associated with another macOS malware strain, RustBucket.
Microsoft’s Threat Intelligence team highlights Sapphire Sleet’s modus operandi, which typically involves targeting individuals on professional platforms like LinkedIn. Their approach involves drawing in targets with skill assessment-related lures before steering the conversation to other communication platforms for further exploitation.
Previously, Sapphire Sleet’s campaigns included sending out harmful attachments directly or using links to pages hosted on reputable services such as GitHub. However, with the rapid detection and removal of these malicious files from these legitimate platforms, it appears that Sapphire Sleet has adapted by creating its own network of websites for distributing malware.
“These specially crafted websites, hosted on multiple malicious domains and subdomains, appear to be skill assessment portals aimed at recruiters. To hinder forensic analysis, the websites are password-protected,” Microsoft added in their briefing.
This shift in tactics indicates an evolution in Sapphire Sleet’s operational methods, signifying a continuous threat from this advanced persistent threat (APT) actor within the global cyber landscape.