Lazarus ‘Operation In(ter)ception’ targets macOS users dreaming of jobs in crypto

In August, researchers from ESET spotted an instance of Operation In(ter)ception using decoys for vacancies on the Coinbase cryptocurrency exchange platform to infect macOS users with malware. In the last days, SentinelOne saw another variation in the same campaign using decoys for open positions at rival exchange Crypto.com. In this article, we review the details of this ongoing campaign and publish the latest indicators of compromise.

Coinbase campaign turns to Crypto.com

North Korea-linked APT threat actor Lazarus has been using decoys for enticing job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign called “Operation Dream Job”.

While these campaigns distributed Windows malware, macOS malware was discovered using a similar tactic. Decoy PDF documents advertising positions on the Coinbase crypto exchange have been discovered by our friends at ESET in August 2022, with indications that the campaign was at least a year old. Last week, SentinelOne observed variants of the malware using new decoys for vacancies on Crypto.com.

Decoy document ad positions on crypto.com
Decoy document ad positions on crypto.com

First stage and persistence

Although it is unclear at this stage how the malware is distributed, previous reports suggested that threat actors were luring victims through targeted LinkedIn posts.

The first stage dropper is a Binary Mach-O which is a similar pattern to the safarifontsagent binary used in the Coinbase variant. The first step creates a folder in the user’s library called “WifiPreference” and drops a persistence agent to ~/Library/LaunchAgents/com.wifianalyticsagent.plisttargeting an executable in the WifiPreferences folder called wifianalyticsagent.

Persistence agent com.wifanalyticsagent
Persistence Agent com.wifianalyticsagent

The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush, but changes the location of the target executable and the name of the agent file. Analysis of the binary shows that these details are simply hard-coded into the startDaemon() function at compile time, and as such it is likely that other variants exist or are to come.

The startDaemon() function hardcodes persistence agent details
The startDaemon() the function hardcodes the persistence agent details

The WifiPreference folder contains several other items, including the decoy document, Crypto.com_Job_Opportunities_2022_confidential.pdf.

The PDF is a 26-page dump of all job postings on Crypto.com. In line with observations from the previous campaign, this PDF is created with MS Word 2016, PDF version 1.5. The author of the document is listed as “UChan”.

PDF decoy was created with MS Word 2016
PDF decoy was created with MS Word 2016

The first-stage malware opens the decoy PDF document and erases the current saved state of the device.

open '/Users/tritium/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf' && 
rm -rf '/Users/tritium/Library/Saved Application State/com.apple.Terminal.savedState'

The second stage of the Crypto.com variant is a set of simple applications named “WifiAnalyticsServ.app”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “FinderFontsUpdater.app”. Application uses bundle id finder.fonts.extractor and has been around since at least 2021.

The main purpose of the second stage is to extract and run the third stage binary, wifianalyticsagent. It works like a downloader from a C2 server. The Coinbase variant used the domain concrecapital[.]com. In the Crypto.com example, this changed to market.contradecapital[.]com.

C2 hardcoded in third stage downloader
C2 hardcoded in third stage downloader

The payload is written to the WifiPreference folder as WifiCloudWidget. Unfortunately, due to the C2 being offline when we analyzed the sample, we were unable to retrieve the WifiCloudWidget payload.

Threat actors made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-O capable of running on Intel or Apple M1 silicon machines and signed with an ad-hoc signature meaning they will pass Apple’s Gatekeeper checks despite not being associated to a recognized developer identity.

The sample wifianalyticsagent passes Gatekeeper with a signature
The wifi scan agent the sample passes Gatekeeper with an “ad hoc” signature

Stay Protected Against Lazarus Malware

SentinelOne customers are protected against the malware variants used in this campaign. For those not currently protected by SentinelOne, security teams and administrators are encouraged to review the Indicators of Compromise at the end of this article.

Conclusion

The Lazarus (a.k.a Nukesped) threat actor continues to target those involved in cryptocurrency exchanges. This is a longstanding theme dating back to the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be expanding the targets of crypto exchange users to their employees in what could be a combined effort to conduct both espionage and cryptocurrency theft.

Indicators of Compromise

SHA1 Name/description
a57684cc460d4fc202b8a33870630414b3bbfafc 1st step, xxx
65b7091af6279cf0e426a7b9bdc4591679420380 Crypto.com_Job_Opportunities_2022_
confidential.pdf
1f0f9020f72aa5a38a89ffd6cd000ed8a2b49edc 2nd stage, WifiAnalyticsServ
1b32f332e7fc91252181f0626da05ae989095d71 3rd stage, wifianalyticsagent

Communication
market.contradecapital[.]com

Persistence
~/Library/LaunchAgents/com.wifianalyticsagent.plist

File paths

~/Library/WifiPreference/WifiAnalyticsServ.app
~/Library/WifiPreference/WifiCloudWidget
~/Library/WifiPreference/wifianalyticsagent
~/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_
confidential.pdf

Batch labels and identifiers
iTunes_trush
finder.fonts.extractor

Leave a Reply