North Korea-linked Lazarus continues to target job seekers with macOS malware

North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry.

North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets.

Last week, SentinelOne researchers discovered a decoy documents advertising positions for the popular cryptocurrency exchange Crypto.com.

The SentinelOne investigation is based on a previous one conducted by ESET in August, when Lazarus APT has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.

ESET published a series of tweets detailing the attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

Lazarus APT has used this kind of lures in multiple campaigns since at least 2020, including a campaign dubbed ‘Operation Dream Job’.

The researchers have no evidence on how the malware is being distributed, but earlier reports on Operation In(ter)ception suggested that the threat actors initially established a contact with the victims via targeted messaging on LinkedIn.

The first stage dropper employed in the latest campaign is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase attacks.

The dropper launches the decoy PDF file, a 26 page document containing all vacancies at Crypto.com, and wipes the Terminal’s current savedState (“com.apple.Terminal.savedState”).

The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”, it mirrors the same architecture employed in the Coinbase campaign.

The second-stage malware extracts and executes the third-stage binary.

“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a C2 server. The Coinbase variant used the domain concrecapital[.]com.” reads the analysis published by SentinelOne. “In the Crypto.com sample, this has changed to market.contradecapital[.]com.”

The experts were not able to determine the last-stage payload because the C2 server responsible for hosting the malware was offline at the time of the analysis.

Experts pointed out that the threat actors have made no effort to encrypt or obfuscate the binaries employed in the attacks, a circumstance that indicates the attackers were conducting short-term campaigns and/or little fear of detection by their targets. 

“The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges. This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]