27 September 2022

North Korean hackers are luring macOS users with jobs in crypto industry


North Korean hackers are luring macOS users with jobs in crypto industry

The North Korea-linked Lazarus group is continuing to target Apple's macOS users by luring them with fake job opportunities in crypto industry. Recently, researchers at SentinelOne have spotted a social engineering campaign spreading decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.

In August, cybersecurity firm ESET warned about a similar campaign where the hackers targeted experts in the fintech industry with fake Coinbase job offers laced with malware.

Lazarus has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed ‘Operation Dream Job.’

As for the latest operation, the researchers are not sure how exactly the malware is being delivered, though earlier reports suggested that threat actors were attracting victims via targeted messaging on the business networking platform LinkedIn.

The first stage of intrusion involves the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal's saved state.

“The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “FinderFontsUpdater.app”. The application uses the bundle identifier finder.fonts.extractor and has been in existence since at least 2021,” the researchers explained.

“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a [command-and-control] server.”

The researchers were not able to identify the payload dropped on the infected machines because the command and control server currently remains offline.

“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-Os capable of running on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will pass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity,” SentinelOne said.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022