ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents.
ESET published a series of tweets detailing the recent attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.
Malware is compiled for both Intel and Apple Silicon, it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. The discovery is similar to other attacks detected by ESET researches in May.
The bundle employed in the attack is signed July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63.
“The application is not notarized and Apple has revoked the certificate on August 12.” states ESET.
Experts noticed that unlike May attacks, the downloader safarifontagent connects to a different C&C server (https://concrecapital[.]com/%user%.jpg). The C2 server did not respond at the time ESET experts analyzed this malware.
The researcher @h2jazi also discovered a Windows counterpart of this malware on August 4, it was dropping the exact same decoy.
ESET also shared Indicators of compromise (IoCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, North Korea)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.