North Korean Cyber Threat Group “Lazarus” Targets Mac M1 With Signed Executables
Tue, 23/08/2022 – 18:01
MacBook M1 and Intel
The malware, Interception.dll, is designed to run by loading three files: a decoy PDF document and two executables FinderFontsUpdater.app and safarifontagent, according to a series of tweets by ESET Search.
Compiled for M1-based Macs and Intel silicon, the malware was uploaded to VirusTotal from Brazil, ESET said.
To reach their targets, the attackers used social engineering via LinkedIn “hiding behind the ruse of attractive, but fake job postings”, ESET said, adding that it was likely part of the Lazarus for Mac campaign. and is similar to research performed by ESET in May.
Late last week, Apple revoked the certificate that allowed the malware to run after ESET alerted the company to the campaign, according to dark reading. As a result, Macs with macOS Catalina v10.15 and later are protected, as long as the user has basic security awareness, Peter Kalnai, senior malware researcher for ESET, told the publication on the cybersecurity.
The cyber collective Lazarus has been operating for more than 10 years “with the blessing of the North Korean government”, as Forbes notes. One of his most high-profile heists was the theft of over $600 million worth of cryptocurrency from the gaming-centric Ronin Network, an Ethereum-enabled blockchain.
And Lazarus has been linked to WannaCry ransomware in May 2017 which affected hospitals, governments and businesses around the world, resulting in losses estimated at $4 billion, among other incidents (see below).
Lazarus had made a name for himself through cyber espionage
One of the main purposes of the operation was espionage, EST said in a blog post in 2020 when it first came across “Operation In(ter)caption”. The APT group had carried out targeted attacks against aerospace and military companies in Europe and the Middle East in the last months of 2019, ESET said at that time.
“The North Korean group APT Lazarus has made a name for itself with its cyber espionage campaigns, and this attack targeting developers with signed executables has the potential to inflict enormous damage on North Korea’s rivals,” said said Kevin Bocek, vice president of security strategy and threat intelligence. in Venafi.
Venafi’s research shows that the proceeds of cybercriminal activities by North Korean APT groups are used to circumvent international sanctions and gather intelligence, Bocek said, adding that money from the attacks goes directly to the weapons programs of North Korea.
Long-standing interest in the malicious use of machine identities
“A key element of the attack is the use of a signed executable disguised as a job description,” according to Bocek.
Code-signing certificates have become the modus operandi of many North Korean APT groups, as these digital certificates are the “keys to the castle, securing communication between machines of all kinds, from servers to applications to Kubernetes clusters. and microservices,” Bocek said.
“We have seen countless times how North Korean hackers use signed certificates to gain access to networks, passing malware off as legitimate and allowing it to launch devastating supply chain attacks,” Bocek said, citing sources. incidents such as Sony Hack 2014 and the $101 million Bangladesh Bank cyber hack through the SWIFT banking system.
These attacks demonstrated North Korea’s longstanding interest in the malicious use of machine identities, which is a blind spot for many organizations. The Lazarus group understands the identity of the machine and exploits it effectively, Bocek said.