The North Korea-backed Lazarus Group has been seen concentrating on job seekers with malware able to executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity agency ESET linked this to a marketing campaign referred to as “Operation In (Ter) Seception”, which was first uncovered in June 2020 and included a social engineering technique to defraud workers working within the aerospace and navy sectors. included utilizing.

The newest assault is not any completely different in that the job description for the Coinbase cryptocurrency trade platform was used as a launchpad to launch a signed Mach-O executable. ESET’s evaluation comes from a pattern of the binary uploaded to VirusTotal from Brazil on August 11, 2022.

Cyber ​​security

“Malware compiled for each Intel and Apple silicon,” the corporate Instructed In a sequence of tweets. “It drops three information: a pretend PDF doc ‘Coinbase_online_careers_2022_07.pdf’, a bundle ‘,’ and a downloader ‘safarifontagent.'”

macOS Malware

The decoy file, sporting a .PDF extension, is definitely a Mach-O executable that acts as a dropper to launch FinderFontsUpdater, which, in flip, executes safarifontsagent, a downloader that may be downloaded from a distant server to the subsequent. The stage’s payload is designed to retrieve.

ESET mentioned Greed was signed on July 21 utilizing a certificates issued in February 2022 to a developer named Shanky Nohria. Apple has since moved to revoke the certificates on August 12.

macOS Malware

It is price noting that the malware is cross-platform, because the Home windows equal of the identical PDF doc was used earlier this month to drop a .EXE file named “Coinbase_online_careers_2022_07.exe”, as a Malwarebytes researcher revealed. did. Hossein Jazik,

Lazarus Group has emerged form of specialist In the case of utilizing impersonation tips on social media platforms like LinkedIn to focus on firms with strategic curiosity as a part of a broader marketing campaign referred to as Operation Dream Job.

Cyber ​​security

“Operation Dream Job is principally an umbrella masking Operation In (Ter) Seception and Operation North Star,” ESET malware researcher Dominic Breitenbacher instructed The Hacker Information.

Final month, it got here to gentle that the $620 million Axi Infinity hack attributed to the collective was the results of considered one of its former workers being duped by a fraudulent job alternative on LinkedIn.

The superior persistent risk actor, which is already within the crosshairs of worldwide authorities after being sanctioned by the US authorities again in 2019, has additional diversified its technique by dipping its toe within the ransomware world.

In Could 2022, Trelix launched 4 ransomware strains, particularly BEAF, PXJ, ZZZZ and CHiCHi, and one other ransomware often known as VHD, as a part of the risk actor’s multi-platform malware framework referred to as MATA in 2020. unfolded, revealing the overlap between.

Since then, the group has been discovered making the most of two extra ransomware households, referred to as Maui and H0lyGh0st, as a method to generate a gentle stream of unlawful income, portray an image of a financially motivated group. which is utilizing a variety of strategies to fulfill the operational targets of governance. ,

Supply hyperlink