North Korean Hackers Spotted Targeting Job Seekers With MacOS Malware
The North Korea-backed Lazarus Group targeted job seekers, with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed Operation In(ter)ception that was first disclosed in June 2020.
Threat Actors Aimed At Military And Aerospace Employees
The operation involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents. The latest attack is no different in that they used a job description for the Coinbase cryptocurrency exchange platform as a launchpad to drop a signed Mach-O executable.
ESET’s analysis comes from a sample of the binary, uploaded to VirusTotal from Brazil on August 11, 2022. The firm said in a series of tweets that they compile the malwares for both Intel and Apple Silicon.
It drops three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf‘, a bundle ‘FinderFontsUpdater.app,’ and a downloader ‘safarifontagent.
The decoy file, while sporting the PDF extension, is, in reality, a Mach-O executable that functions as a dropper to launch FinderFontsUpdater. This, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.
Apple Tackles the Malware
ESET stated that the hackers signed the lure on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.
It’s worth noting, that the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an. EXE file named Coinbase_online_careers_2022_07.exe earlier this month.
The Lazarus Group has emerged as n expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.
Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.
