Wednesday, August 17, 2022

North Korean Hacker, Attacking Job Seeker with Malicious MacOS Executable

 Hacker group from North Korea, Lazarus is reportedly attacking job seekers in cyberspace with malware that can specifically attack Apple Macs with Intel and M1 chipsets.

It was ESET Security who reported this in a report entitled "Operation In(ter)ception" which was issued since last June 2020. The Lazarus Group reportedly uses social engineering tactics to trick job seekers in the aerospace and military fields with fake job vacancies, so that their data will be very easily collected and used to attack them in the future.

The last reported attack occurred on August 11, 2022 yesterday when several job seekers at crypto company, Coinbase reported getting an executable file that was electronically signed by Mach-O.

The decoy file included in the hoax is a PDF file with Mach-O malware inserted and is a trojan dropper to activate the FinderFontsUpdater program which is then used to download a payload that will be used to attack victims.

ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.

It's worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named "Coinbase_online_careers_2022_07.exe" earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.


Post a Comment