Lazarus Hacker Group targets MacOS users through crypto jobs
The Lazarus Group are North Korean hackers who are now sending unwanted and fake crypto jobs targeting Apple’s macOS operating system. The hacker group has distributed malware that carries out the attack.
This latest variant of the campaign is being investigated by cyber security company SentinelOne.
The cyber security company found that the hacking group was using decoy documents to advertise positions for the Singapore-based cryptocurrency exchange platform called Crypto.com and is carrying out the hacks accordingly.
The latest variant of the hacker campaign has been called “Operation In(ter)ception”. Reportedly, the phishing campaign is by far only targeting Mac users.
The malware used in the hacks has been found to be identical to those used in fake Coinbase job ads.
Last month, researchers observed and found that Lazarus was using fake Coinbase job openings to trick macOS-only users into downloading malware.
How the group performed hacks on the Crypto.com platform
This has been considered to be an orchestrated hack. These hackers have camouflaged malware as job advertisements from popular crypto exchanges.
This is done by using well-designed and legitimate-looking PDF documents that list vacancies for various positions, such as Art Director-Concept Art (NFT) in Singapore.
According to a report by SentinelOne, this new crypto job blocker included targeting other victims by contacting them on LinkedIn messages from Lazarus.
SentinelOne provided further details about the hacking campaign, stating,
Although it is not clear at this stage how the malware is distributed, previous reports suggested that threat actors attracted victims via targeted messages on LinkedIn.
These two fake job adverts are just the latest in a series of attacks that have been dubbed Operation In(ter)ception, which in turn are part of a wider campaign that falls under the broader hacking operation called Operation Dream Job.
Related reading: STEPN partners with the giving block to enable crypto donations for non-profits
Less clarity on how malware is distributed
The security company looking into this mentioned that it is still unclear how the malware is being circulated.
Considering the technical aspects, SentinelOne said that the first stage dropper is a Mach-O binary, which is the same as a mal binary that has been used in the Coinbase variant.
The first step consists of creating a new folder in the user’s library that drops a persistence agent.
The primary purpose of the second stage is to extract and run the third stage binary, which acts as a downloader from the C2 server.
The advisory read,
The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets.
SentinelOne also mentioned that Operation In(ter)ception also appears to extend its targeting from users of cryptocurrency exchange platforms to its employees, as it looks like “what may be a combined effort to conduct both espionage and cryptocurrency theft.”
