APT Lazarus Targets Engineers with macOS Malware

1 month ago

The North Korean APT is utilizing a fake occupation posting for Coinbase successful a cyberespionage run targeting users of some Apple and Intel-based systems.

North Korean APT Lazarus is up to its aged tricks with a cyberespionage run targeting engineers with a fake occupation posting that effort to dispersed macOS malware. The malicious Mac executable utilized successful the run targets some Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed successful a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase successful a occupation statement claiming to question an engineering manager for merchandise security, researchers divulged.

Dubbed Operation In(ter)ception, the caller run drops a signed Mac executable disguised arsenic a occupation statement for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.Infosec Insiders Newsletter“Malware is compiled for some Intel and Apple Silicon,” according to 1 of the tweets. “It drops 3 files: a decoy PDF papers Coinbase_online_careers_2022_07.pdf, a bundle http[://]FinderFontsUpdater[.]app and a downloader safarifontagent.”

Similarities to Previous Malware

The malware is similar to a sample discovered by ESET successful May, which besides included a signed executable disguised arsenic a occupation description, was compiled for some Apple and Intel, and dropped a PDF decoy, researchers said.

However, the astir caller malware is signed July 21, according to its timestamp, which means it’s either thing caller oregon a variant of the erstwhile malware. It uses a certificate issued successful February 2022 to a developer named Shankey Nohria and which was revoked by Apple connected Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception besides has a companion Windows mentation of the malware dropping the aforesaid decoy and spotted Aug. 4 by Malwarebytes threat quality researcher Jazi, according to ESET.

The malware utilized successful the run besides connects to a antithetic bid and power (C2) infrastructure than the malware discovered successful May, https:[//]concrecapital[.]com/%user%[.]jpg, which did not respond erstwhile researchers tried to link to it.

Lazarus connected the Loose

North Korea’s Lazarus is good known arsenic 1 of the astir prolific APTs and already is successful the crosshairs of planetary authorities, having been sanctioned backmost successful 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals successful assorted industries—particularly the defense industry–to stitchery quality and fiscal backing for the authorities of Kim Jong-un. It has often utilized impersonation ploys akin to the 1 observed successful Operation In(ter)ception to effort to get victims to instrumentality the malware bait.

A erstwhile run identified successful January besides targeted job-seeking engineers by dangling fake employment opportunities astatine them successful a spear-phishing campaign. The attacks utilized Windows Update arsenic a living-off-the-land method and GitHub arsenic a C2 server.

Meanwhile, a similar run uncovered past year saw Lazarus impersonating defence contractors Boeing and General Motors and claiming to question occupation candidates lone to dispersed malicious documents.

Changing It Up

However, much precocious Lazarus has diversified its tactics, with the feds revealing that Lazarus besides has been liable for a fig of crypto heists aimed astatine padding the authorities of Jong-un with cash.

Related to this activity, the U.S. authorities levied sanctions against cryptocurrency mixer work Tornado Cash for helping Lazarus launder currency from its cybercriminal activities, which they judge successful portion are being to money North Korea’s rocket program.

Lazarus adjacent has dipped its toed successful ransomware amid its frenzy of cyberextortion activity. In May, researchers astatine cybersecurity steadfast Trellix tied the precocious emerged VHD ransomware to the North Korean APT.