North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware


Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Believed to be backed by the North Korean government, Lazarus has been active since at least 2009, orchestrating various high-profile attacks, including numerous assaults on cryptocurrency entities.

Also referred to as Hidden Cobra, Lazarus is believed to comprise multiple subgroups, the activities of which often overlap, the same as their tools.

Over the past couple of years, Lazarus has been targeting various entities – including defense and governmental organizations and companies in the chemical sector – with fake job offers and sophisticated social engineering.

ESET now warns that Lazarus is once again relying on fake job offerings for the distribution of malware, as a continuation of an attack detailed in May, which relied on similar decoy documents for the distribution of Windows and macOS malware.

“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by #Lazarus for Mac,” ESET said on Twitter.

Targeting both Intel and Apple chips, the malware was designed to drop three files on the victim’s machine, including a decoy PDF document, a bundle package, and a downloader named ‘safarifontagent’.

The bundle has a signing timestamp of July 21, which suggests that it was built to be part of a new instance of the campaign. The certificate used to sign it, however, was issued in February 2022 to developer ‘Shankey Nohria’.

“The application is not notarized and Apple has revoked the certificate on August 12,” ESET notes.

According to the security firm, the downloader was designed to reach out to a remote command-and-control (C&C) server, but the researchers could not retrieve a payload from it.

Earlier this month, security researchers observed a Windows counterpart of the malware, which would drop the exact same decoy document.


By Ionut Arghire on Thu, 18 Aug 2022 12:54:17 +0000
Original link