In this session, we will take a deep dive into a sophisticated recruitment scam run by the well-known Lazarus Group on LinkedIn and other job-related platforms. We will start by analyzing the interaction between a Bitdefender employee and a fake recruiter on LinkedIn, while also explaining what the so-called recruiter is after and what are the known tactics that are used in these kinds of scenarios.
Given the fact that the scam is enabled by job-seeking developers that set out to finish the coding assessment given by the fake recruiter, we will continue with a bird’s eye view on the received code repositories. Among thousands of lines of code, stolen from public repositories, the threat actors hide an obfuscated Javascript snippet that begins the malware infection chain.

Moving forward, the complexity of the infection chain increases. A comprehensive breakdown of each step involved will be provided, with insights about malware analysis and the necessary protective measures to prevent infection:

• Downloading more malicious, self-unpacking Python scripts
• Using public services to store information (e.g: pastebin)
• Downloading a malicious binary that doubles down the infostealing efforts, while also exfiltrating data through TOR

The presentation will end with conclusions and take aways, while also leaving plenty of time for Q&A.