The North Korea-backed Lazarus Group has been noticed concentrating on job seekers with malware able to executing on Apple Macs with Intel and M1 chipsets.
Slovak cybersecurity agency ESET linked it to a marketing campaign dubbed “Operation In(ter)ception” that was first disclosed in June 2020 and concerned utilizing social engineering ways to trick workers working within the aerospace and navy sectors into opening decoy job supply paperwork.
The newest assault isn’t any completely different in {that a} job description for the Coinbase cryptocurrency alternate platform was used as a launchpad to drop a signed Mach-O executable. ESET’s evaluation comes from a pattern of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.
“Malware is compiled for each Intel and Apple Silicon,” the corporate mentioned in a collection of tweets. “It drops three recordsdata: a decoy PDF doc ‘Coinbase_online_careers_2022_07.pdf‘, a bundle ‘FinderFontsUpdater.app,’ and a downloader ‘safarifontagent.'”
The decoy file, whereas sporting the .PDF extension, is in actuality a Mach-O executable that capabilities as a dropper to launch FinderFontsUpdater, which, in flip, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a distant server.
ESET said that the lure was signed on July 21 utilizing a certificates issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificates on August 12.
It is price noting the malware is cross-platform, as a Home windows equal of the similar PDF doc was used to drop an .EXE file named “Coinbase_online_careers_2022_07.exe” earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.
The Lazarus Group has emerged an knowledgeable of types in terms of posing as HR representatives on social media platforms like LinkedIn to focus on firms which are of strategic curiosity.
Final month, it got here to gentle that the $620 million Axie Infinity hack attributed to the collective was the results of one in every of its former workers getting duped by a fraudulent job supply on LinkedIn.