Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

North Korea Hackers

The North Korea-backed Lazarus Group has been observed targeting
job seekers with malware capable of executing on Apple Macs with
Intel and M1 chipsets.

Slovak cybersecurity firm ESET linked it to a campaign dubbed
Operation In(ter)ception[1]” that was first
disclosed in June 2020 and involved using social engineering
tactics to trick employees working in the aerospace and military
sectors into opening decoy job offer documents.

The latest attack is no different in that a job description for
the Coinbase cryptocurrency exchange platform was used as a
launchpad to drop a signed Mach-O executable. ESET’s analysis comes
from a sample of the binary that was uploaded to VirusTotal from
Brazil on August 11, 2022.

CyberSecurity

“Malware is compiled for both Intel and Apple Silicon,” the
company said[2]
in a series of tweets. “It drops three files: a decoy PDF document
Coinbase_online_careers_2022_07.pdf[3]‘, a bundle ‘FinderFontsUpdater.app[4],’ and a downloader
‘safarifontagent[5].'”

macOS Malware

The decoy file, while sporting the .PDF extension, is in reality
a Mach-O executable that functions as a dropper to launch
FinderFontsUpdater, which, in turn, executes safarifontsagent, a
downloader designed to retrieve next-stage payloads from a remote
server.

macOS Malware

ESET stated that the lure was signed on July 21 using a
certificate issued in February 2022 to a developer named Shankey
Nohria. Apple has since moved to revoke the certificate on August
12.

It’s worth noting the malware is cross-platform, as a Windows
equivalent of the same PDF document[6]
was used to drop an .EXE file named
“Coinbase_online_careers_2022_07.exe” earlier this month, as
revealed by Malwarebytes researcher Hossein Jazi[7].

CyberSecurity

The Lazarus Group has emerged an expert of sorts[8]
when it comes to posing as HR representatives on social media
platforms like LinkedIn to target companies that are of strategic
interest.

Last month, it came to light that the $620 million Axie Infinity
hack attributed to the collective was the result of one of its
former employees getting duped[9]
by a fraudulent job offer on LinkedIn.

References

  1. ^
    Operation In(ter)ception
    (thehackernews.com)
  2. ^
    said
    (twitter.com)
  3. ^
    Coinbase_online_careers_2022_07.pdf
    (www.virustotal.com)
  4. ^
    ‘FinderFontsUpdater.app
    (www.virustotal.com)
  5. ^
    ‘safarifontagent
    (www.virustotal.com)
  6. ^
    same PDF
    document     (www.virustotal.com)
  7. ^
    Hossein
    Jazi     (twitter.com)
  8. ^
    expert
    of sorts     (twitter.com)
  9. ^
    getting
    duped     (thehackernews.com)

Read more