N. Korean APT Lazarushas launched a cyber-espionage campaign targeting engineers with a false job posting that attempts to spread macOS malware.
The malicious Mac executable used in the campaign targets both Apple & Intel chip-based systems.
The campaign, identified by researchers from ESET Research Labs & revealed in a series of tweets posted Tues., impersonates crypto-currency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers revealed.
Mac Executable
Dubbed Operation In(ter)ception, the recent campaign uses a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to Virus Total from Brazil, they observed.
“Malware is compiled for both Intel & Apple Silicon,” according to one of the tweets. “It drops 3 files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http[://]FinderFontsUpdater[.]app & a downloader safarifontagent.”
Similarities
The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple & Intel, and dropped a PDF decoy, researchers said.
Also, the most recent malware is signed July 21, according to its timestamp, which means it is either something new or a variant of the previous malware. It uses a certificate issued in Feb. 2022 to a developer named Shankey Nohria & which was revoked by Apple on Aug. 12, researchers stated. The app itself was not notarised.
Same Decoy
Operation In(ter)ception also has a companion Windows version of the malware using the same decoy & seen on Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.
The malware used in the campaign also connects to a different command & control (C2) infrastructure than the malware discovered in May, https:[//]concrecapital[.]com/%user%[.]jpg, which did not respond when researchers tried to connect to it.
On the Loose
N. Korea’s Lazarus is well known as one of the most prolific APTs & already is in the sights of international authorities, having been sanctioned in 2019 by the US Govt.
Lazarus is well known for targeting academics, journalists & professionals in various industries—particularly the defence industry–to gather intelligence & financial backing for the Kim Jong-un Govt. It has often used impersonation methods similar to the that observed in Operation In(ter)ception to try to persuade victims to take the malware bait.
Fake Employment
A previous campaign identified in Jan. also targeted job-seeking engineers by using fake employment opportunities in a spear-phishing campaign. The attacks used Windows Update as a ‘living-off-the-land’ technique & GitHub as a C2 server.
In addition, a similar campaign found in 2021 saw Lazarus impersonating defence contractors Boeing & General Motors, & claiming to seek job candidates only to instead spread malicious documents.
Stealing Cash
However, lately Lazarus has expanded its tactics, with the US authorities revealing that Lazarus also has been responsible for other crypto attacks aimed at stealing cash for N. Korea.
Also, the US Govt. used sanctions against crypto-currency mixer service ‘Tornado Cash’ for helping Lazarus launder cash from its cyber-criminal activities, which they think in part are being to fund N. Korea’s missile program!
Lazarus even has tried ransomware amidst an explosion of cyber-extortion activity. In May, researchers at cyber-security firm Trellix tied the recently emerged VHD ransomware to the N. Korean APT.