The North Korea-linked Lazarus group is continuing to target Apple's macOS users by luring them with fake job opportunities in crypto industry. Recently, researchers at SentinelOne have spotted a social engineering campaign spreading decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.
In August, cybersecurity firm ESET warned about a similar campaign where the hackers targeted experts in the fintech industry with fake Coinbase job offers laced with malware.
Lazarus has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed ‘Operation Dream Job.’
As for the latest operation, the researchers are not sure how exactly the malware is being delivered, though earlier reports suggested that threat actors were attracting victims via targeted messaging on the business networking platform LinkedIn.
The first stage of intrusion involves the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal's saved state.
“The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “FinderFontsUpdater.app”. The application uses the bundle identifier finder.fonts.extractor and has been in existence since at least 2021,” the researchers explained.
“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a [command-and-control] server.”
The researchers were not able to identify the payload dropped on the infected machines because the command and control server currently remains offline.
“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-Os capable of running on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will pass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity,” SentinelOne said.