The North Korea state-backed Lazarus Group has been observed to be targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
ESET, a Slovak cybersecurity firm, linked these events to a campaign dubbed “Operation In(ter)ception” that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the military and aerospace sectors into opening fake job offer documents.
The latest attack is no different in that a job description for a Coinbase cryptocurrency exchange was used as a launchpad to drop a signed Mach-O executable.
The company Tweeted: “Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf’, a bundle ‘FinderFontsUpdater.app,’ and a downloader ‘safarifontagent.'”
The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.
ESET said that the lure was signed on 21st July using a certificate issued in February 2022 to a developer named Shankey Nohria. Apply has started the process of revoking the certificate, as of 12th August.
It’s worth noting that the malware is cross-platformarg.
In July, it came to light that the Axie Infinity hack attributed to the Lazarus Group was the result of one of its former employees getting duped by a fake LinkedIn job offer.