APT

North Korea-linked Lazarus continues to target job seekers with macOS malware

North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry.

North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets.

Last week, SentinelOne researchers discovered a decoy documents advertising positions for the popular cryptocurrency exchange Crypto.com.

The SentinelOne investigation is based on a previous one conducted by ESET in August, when Lazarus APT has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.

ESET published a series of tweets detailing the attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

Lazarus APT has used this kind of lures in multiple campaigns since at least 2020, including a campaign dubbed ‘Operation Dream Job’.

The researchers have no evidence on how the malware is being distributed, but earlier reports on Operation In(ter)ception suggested that the threat actors initially established a contact with the victims via targeted messaging on LinkedIn.

The first stage dropper employed in the latest campaign is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase attacks.

The dropper launches the decoy PDF file, a 26 page document containing all vacancies at Crypto.com, and wipes the Terminal’s current savedState (“com.apple.Terminal.savedState”).

The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”, it mirrors the same architecture employed in the Coinbase campaign.

The second-stage malware extracts and executes the third-stage binary.

“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a C2 server. The Coinbase variant used the domain concrecapital[.]com.” reads the analysis published by SentinelOne. “In the Crypto.com sample, this has changed to market.contradecapital[.]com.”

The experts were not able to determine the last-stage payload because the C2 server responsible for hosting the malware was offline at the time of the analysis.

Hardcoded C2 in the third-stage downloader (Source SentinelOne)

Experts pointed out that the threat actors have made no effort to encrypt or obfuscate the binaries employed in the attacks, a circumstance that indicates the attackers were conducting short-term campaigns and/or little fear of detection by their targets. 

“The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges. This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.