The North Korea-backed Lazarus Group has been seen concentrating on job seekers with malware able to executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity agency ESET linked this to a marketing campaign referred to as “Operation In (Ter) Seception”, which was first uncovered in June 2020 and included a social engineering technique to defraud workers working within the aerospace and navy sectors. included utilizing.

The newest assault isn’t any totally different in that the job description for the Coinbase cryptocurrency alternate platform was used as a launchpad to launch a signed Mach-O executable. ESET’s evaluation comes from a pattern of the binary uploaded to VirusTotal from Brazil on August 11, 2022.

Cyber ​​security

“Malware compiled for each Intel and Apple silicon,” the corporate Advised In a collection of tweets. “It drops three information: a faux PDF doc ‘Coinbase_online_careers_2022_07.pdf’, a bundle ‘,’ and a downloader ‘safarifontagent.'”

macOS Malware

The decoy file, sporting a .PDF extension, is definitely a Mach-O executable that acts as a dropper to launch FinderFontsUpdater, which, in flip, executes safarifontsagent, a downloader that may be downloaded from a distant server to the following. The stage’s payload is designed to retrieve.

ESET stated Greed was signed on July 21 utilizing a certificates issued in February 2022 to a developer named Shanky Nohria. Apple has since moved to revoke the certificates on August 12.

macOS Malware

It is value noting that the malware is cross-platform, because the Home windows equal of the identical PDF doc was used earlier this month to drop a .EXE file named “Coinbase_online_careers_2022_07.exe”, as a Malwarebytes researcher revealed. did. Hossein Jazik,

Lazarus Group has emerged form of specialist Relating to utilizing impersonation tips on social media platforms like LinkedIn to focus on firms with strategic curiosity as a part of a broader marketing campaign referred to as Operation Dream Job.

Cyber ​​security

“Operation Dream Job is principally an umbrella protecting Operation In (Ter) Seception and Operation North Star,” ESET malware researcher Dominic Breitenbacher advised The Hacker Information.

Final month, it got here to gentle that the $620 million Axi Infinity hack attributed to the collective was the results of certainly one of its former workers being duped by a fraudulent job alternative on LinkedIn.

The superior persistent menace actor, which is already within the crosshairs of worldwide authorities after being sanctioned by the US authorities again in 2019, has additional diversified its technique by dipping its toe within the ransomware world.

In Could 2022, Trelix launched 4 ransomware strains, specifically BEAF, PXJ, ZZZZ and CHiCHi, and one other ransomware often known as VHD, as a part of the menace actor’s multi-platform malware framework referred to as MATA in 2020. unfolded, revealing the overlap between.

Since then, the group has been discovered benefiting from two extra ransomware households, referred to as Maui and H0lyGh0st, as a solution to generate a gentle stream of unlawful income, portray an image of a financially motivated group. which is utilizing a variety of strategies to fulfill the operational targets of governance. ,

Supply hyperlink