The infamous North Korean hacking group Lazarus is trying to target Apple Inc. Mac users through fake job postings.
Detailed on August 16 by security researchers at ESET sro on Twitterthe new Lazarus campaign involves fake emails posing as job postings from Coinbase Inc developers. The fake job emails include an attachment that contains malicious files that can compromise both Mac computers equipped with Intel and Apple chips.
The Mac malware drops three files: a decoy PDF document, a fake font updater, and a downloader called “safarifontagent”. The batch of malicious files is stamped July 21, indicating that the campaign is new and not part of previous Lazarus campaigns. That said, a certificate used to sign the malicious files was issued in February this year to a developer known as “Shankey Nohria”.
Other differences in the new campaign include a previously known Lazarus downloader “safarifontagent” connecting to a different command and control server. ESET researchers noted that the C&C server was unresponsive when they attempted to analyze the threat.
The Lazarus Group has a long history of targeting potential victims. The group is best known for spreading the WannaCry ransomware in 2017, but has been popping up regularly since then. Previous campaigns include Lazarus targeting Linux systems in December. Lazarus was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular game “Axie Infinity”.
Although the campaign has so far been successfully stalled, the outcome could have been much worse. The campaign remains ongoing.
“This attack targeting developers with signed executables has the potential to inflict tremendous damage on North Korea’s rivals,” said Kevin Bocek, vice president of security strategy and threat intelligence at the cybersecurity company. Venafi Inc., told SiliconANGLE. “A key part of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi of many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.
Szilveszter Szebeni, chief information security officer and co-founder of the crypto-based security solutions company Treasury SA, warned that although the attack was successfully prevented, the threat is still there. “Because the certificate signing the executable has been revoked, it’s difficult to stop an attacker if an unsuspecting victim runs their code,” Szebeni said.
Szebeni noted that organizations have two options to prevent campaigns like this: drastically limit the executables users are allowed to run by whitelisting trusted apps or ensuring that users don’t run apps from untrusted sources.
“While Option A could potentially be effective, it may also be entirely impossible for IT to process and run any executables they encounter to prevent this malware from infecting,” Szebeni noted.