The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Slovak cybersecurity firm ESET linked it to a campaign dubbed “Operation In(ter)ception” that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents.
The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET’s analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.
“Malware is compiled for both Intel and Apple Silicon,” the company said in a series of tweets. “It drops three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf‘, a bundle ‘FinderFontsUpdater.app,’ and a downloader ‘safarifontagent.'”
The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.
ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.
It’s worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named “Coinbase_online_careers_2022_07.exe” earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.
The Lazarus Group has emerged an expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.
Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.