APT Lazarus Targets Engineers with macOS Malware

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.Infosec Insiders Newsletter“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http[://]FinderFontsUpdater[.]app and a downloader safarifontagent.”

Similarities to Previous Malware

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:[//]concrecapital[.]com/%user%[.]jpg, which did not respond when researchers tried to connect to it.

Lazarus on the Loose

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

Changing It Up

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

Suggested articles