“#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher,” ESET Research recently tweeted.
Lazarus, a North Korean hacking collective, is again on the prowl and is currently scamming Mac users with false job postings that are actually malware files. Security researchers at ESET said that the Lazarus group’s most recent phishing attempts use phoney phone calls and advertise false Coinbase Inc developer jobs when they first learned about the hacking.
According to the security researchers at ESET, the hacking link that is being circulated is compiled for both Intel and Apple Silicon. “Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. It is similar to #ESETresearch discovery in May.”
“A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.”
It should be noted that the phishing campaign has so far been successfully blocked, however, the result could have been far worse. According to Kevin Bocek, the Vice President of Security Strategy and Threat Intelligence at Venafi Inc, was quoted as saying by publication Silicone Angle: “This attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals.”
Remember that the North Korean Lazarus Group is notorious for having a long history of picking out possible victims. Lazarus is well recognised for being responsible for the 2017 WannaCry ransomware outbreak that affected more than 150 nations. Since the WannaCry hack in 2017, The Lazarus Group has again surfaced.