In August, researchers from ESET spotted an instance of Operation In(ter)ception using decoys for vacancies on the Coinbase cryptocurrency exchange platform to infect macOS users with malware. In the last days, SentinelOne saw another variation in the same campaign using decoys for open positions at rival exchange Crypto.com. In this article, we review the details of this ongoing campaign and publish the latest indicators of compromise.
Coinbase campaign turns to Crypto.com
North Korea-linked APT threat actor Lazarus has been using decoys for enticing job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign called “Operation Dream Job”.
While these campaigns distributed Windows malware, macOS malware was discovered using a similar tactic. Decoy PDF documents advertising positions on the Coinbase crypto exchange have been discovered by our friends at ESET in August 2022, with indications that the campaign was at least a year old. Last week, SentinelOne observed variants of the malware using new decoys for vacancies on Crypto.com.
First stage and persistence
Although it is unclear at this stage how the malware is distributed, previous reports suggested that threat actors were luring victims through targeted LinkedIn posts.
The first stage dropper is a Binary Mach-O which is a similar pattern to the
safarifontsagent binary used in the Coinbase variant. The first step creates a folder in the user’s library called “WifiPreference” and drops a persistence agent to
~/Library/LaunchAgents/com.wifianalyticsagent.plisttargeting an executable in the WifiPreferences folder called
The LaunchAgent uses the same label as in the Coinbase variant, namely
iTunes_trush, but changes the location of the target executable and the name of the agent file. Analysis of the binary shows that these details are simply hard-coded into the
startDaemon() function at compile time, and as such it is likely that other variants exist or are to come.
The WifiPreference folder contains several other items, including the decoy document, Crypto.com_Job_Opportunities_2022_confidential.pdf.
The PDF is a 26-page dump of all job postings on Crypto.com. In line with observations from the previous campaign, this PDF is created with MS Word 2016, PDF version 1.5. The author of the document is listed as “UChan”.
The first-stage malware opens the decoy PDF document and erases the current saved state of the device.
open '/Users/tritium/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf' && rm -rf '/Users/tritium/Library/Saved Application State/com.apple.Terminal.savedState'
The second stage of the Crypto.com variant is a set of simple applications named “WifiAnalyticsServ.app”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “FinderFontsUpdater.app”. Application uses bundle id
finder.fonts.extractor and has been around since at least 2021.
The main purpose of the second stage is to extract and run the third stage binary,
wifianalyticsagent. It works like a downloader from a C2 server. The Coinbase variant used the domain
concrecapital[.]com. In the Crypto.com example, this changed to
The payload is written to the WifiPreference folder as
WifiCloudWidget. Unfortunately, due to the C2 being offline when we analyzed the sample, we were unable to retrieve the
Threat actors made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-O capable of running on Intel or Apple M1 silicon machines and signed with an ad-hoc signature meaning they will pass Apple’s Gatekeeper checks despite not being associated to a recognized developer identity.
Stay Protected Against Lazarus Malware
SentinelOne customers are protected against the malware variants used in this campaign. For those not currently protected by SentinelOne, security teams and administrators are encouraged to review the Indicators of Compromise at the end of this article.
The Lazarus (a.k.a Nukesped) threat actor continues to target those involved in cryptocurrency exchanges. This is a longstanding theme dating back to the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be expanding the targets of crypto exchange users to their employees in what could be a combined effort to conduct both espionage and cryptocurrency theft.
Indicators of Compromise
~/Library/WifiPreference/WifiAnalyticsServ.app ~/Library/WifiPreference/WifiCloudWidget ~/Library/WifiPreference/wifianalyticsagent ~/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_ confidential.pdf
Batch labels and identifiers