North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector.
While it is no surprise that they’re targeting workers at Web3 companies, details about this specific social engineering campaign so far were limited to malware for the Windows platform.
Lazarus hackers have used fake job offers in the past and in a recent operation they used malware disguised as a PDF file with details about a position at Coinbase.
Decoy PDF used by Lazarus hacker group
The name of the false document was “Coinbase_online_careers_2022_07.” When launched, it displays the decoy PDF above and loads a malicious DLL that ultimately allows the threat actor to send commands to the infected device.
Security researchers at cybersecurity company ESET found that the hackers also had malware ready for macOS systems. They said that the malicious file is compiled for Macs with both Intel and Apple silicon, meaning that users of both older and newer models were targeted.
In a thread on Twitter, they note that the malware drops three files:
- the bundle FinderFontsUpdater.app
- the downloader safarifontagent
- a decoy PDF called “Coinbase_online_careers_2022_07” PDF (same as the Windows malware)
A similar campaign targeting macOS users and attributed to Lazarus was identified last year. The threat actor relied on the same fake job offer social engineering tactic but used a different PDF.
ESET linked the recent macOS malware to Operation In(ter)ception, a Lazarus campaign that targeted high-profile aerospace and military organizations in a similar way.
Looking at the macOS malware, the researchers noticed that it was signed on July 21 (as per the timestamp value) with a certificate issued in February to a developer using the name Shankey Nohria and team identifier 264HFWQH63.
On August 12, the certificate had not been revoked by Apple. However, the malicious application was not notarized – an automatic process that Apple uses to check software for malicious components.
macOS signed malware used by Lazarus
Compared to the previous macOS malware attributed to the Lazarus group of hackers, ESET researchers observed that the downloader component connects to a different command and control (C2) server, which was no longer responding at the time of the analysis.
North Korean hacker groups have long been linked to cryptocurrency hacks as well as using fake job offers in phishing campaigns aiming to infect targets of interest.