North Korean hackers spotted targeting job seekers with macOS malware

North Korea Pirates

The North Korean-backed Lazarus Group has been observed targeting job seekers with malware capable of running on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity company ESET linked it to a campaign dubbed “Operation In(ter)ception” which was first disclosed in June 2020 and involved the use of social engineering tactics to trick employees working in the aerospace and military sectors to open decoy job offer documents.

The latest attack is no different in that a job description for cryptocurrency exchange platform Coinbase was used as a launching pad to drop a signed Mach-O executable. ESET’s analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.

cyber security

“Malware is compiled for both Intel and Apple Silicon,” the company said. said in a series of tweets. “It removes three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf’, a set ‘FinderFontsUpdater.app’ and a downloader ‘safarifontagent.'”

macOS Malware

The decoy file, while sporting the .PDF extension, is actually a Mach-O executable that works like a dropper to launch FinderFontsUpdater, which in turn runs safarifontsagent, a downloader designed to fetch payloads from the next step from a remote server.

ESET said the decoy was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since decided to revoke the certificate on August 12.

macOS Malware

It should be noted that the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named “Coinbase_online_careers_2022_07.exe” earlier this month, as revealed by a Malwarebytes researcher Hossein Jazi.

The Lazarus group emerged a sort of expert when it comes to using impersonation schemes on social media platforms like LinkedIn to target companies of strategic interest as part of a larger campaign called Operation Dream Job.

cyber security

“Operation Dream Job is basically an umbrella covering Operation In(ter)ception and Operation North Star,” ESET malware researcher Dominik Breitenbacher told The Hacker News.

Last month, it emerged that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees being duped by a fraudulent job opportunity on LinkedIn.

The advanced persistent threat actor, which is already in the crosshairs of international authorities after being sanctioned by the US government in 2019, has further diversified its tactics by dipping its toes into the world of ransomware.

In May 2022, Trellix discovered overlaps between four ransomware strains, namely BEAF, PXJ, ZZZZ and CHiCHi, and another ransomware known as VHD which surfaced in 2020 as part of the cross-platform malware framework of the malicious actor called MATA.

Since then, the group has been discovered to be using two other ransomware families called Maui and H0lyGh0st to generate a steady stream of illicit revenue, painting a picture of a financially driven group that uses a wide range of methods to achieve operational goals. of the regime. .

Leave a Reply