The North Korean APT is conducting a cyberespionage campaign against users of Apple and Intel-based systems using a bogus Coinbase job posting.
The North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign aimed at engineers using a fake job posting to spread macOS malware. The campaign’s malicious Mac executable targets both Apple and Intel chip-based systems.
The campaign, identified by researchers from ESET Research Labs and disclosed in a series of tweets published on Tuesday, impersonates cryptocurrency exchange Coinbase in a job posting claiming to be seeking an engineering manager for product security, researchers disclosed.
The recent campaign, dubbed Operation In(ter)ception, distributes a signed Mac executable disguised as a Coinbase job description, which researchers found uploaded to VirusTotal from Brazil, they wrote. “Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: Coinbase online careers 2022 07.pdf, http://FinderFontsUpdater.app, and safarifontagent.”
Similarities with Earlier Malware
The malware is comparable to a sample discovered by ESET in May, which contained a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, according to researchers.
According to its timestamp, the most recent malware was signed on July 21, indicating that it is either something new or a variant of the previous malware. It uses a certificate issued to a developer named Shankey Nohria in February 2022 and revoked by Apple on August 12, according to researchers. The application was not notarized.
According to ESET, a Windows variant of Operation In(ter)ception was discovered on August 4 by Malwarebytes threat intelligence researcher Jazi dropping the same decoy.
The campaign malware connects to a different command and control (C2) infrastructure than the malware discovered in May, https:[//]concrecapital[. ]com/%user%[. ]jpg, which researchers were unable to connect to.
Lazarus is on the Run
Lazarus is widely recognized as one of the most prolific APTs and is already in the sights of international authorities, having been sanctioned by the U.S. government in 2019.
Lazarus is notorious for targeting academics, journalists, and professionals from various industries, especially the defense industry, in order to collect intelligence and financial support for Kim Jong-regime. un’s It has frequently employed impersonation techniques similar to those observed in Operation In(ter)ception to lure victims into downloading malware.
An earlier spear-phishing campaign identified in January also targeted job-seeking engineers by luring them with false employment opportunities. The attacks utilized Windows Update as a technique for self-sufficiency and GitHub as a C2 server.
Lazarus impersonated defense contractors Boeing and General Motors in a similar campaign uncovered the previous year, claiming to be seeking job candidates while spreading malicious documents.
Changing It Up
However, Lazarus has recently diversified its tactics, with the feds revealing that Lazarus is also responsible for a number of crypto heists aimed at bolstering Jong-regime uns financially.
In relation to this activity, the U.S. government imposed sanctions on the cryptocurrency mixer service Tornado Cash for assisting Lazarus in laundering proceeds from its cybercriminal activities, which the government believes are being used in part to finance North Korea’s missile program.
Lazarus has even experimented with ransomware as part of its cyberextortion frenzy. In May, researchers at the cybersecurity company Trellix connected the newly discovered VHD ransomware to the North Korean APT.