Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Believed to be backed by the North Korean government, Lazarus has been active since at least 2009, orchestrating various high-profile attacks, including numerous assaults on cryptocurrency entities.

Also referred to as Hidden Cobra, Lazarus is believed to comprise multiple subgroups, the activities of which often overlap, the same as their tools.

Over the past couple of years, Lazarus has been targeting various entities – including defense and governmental organizations and companies in the chemical sector – with fake job offers and sophisticated social engineering.

ESET now warns that Lazarus is once again relying on fake job offerings for the distribution of malware, as a continuation of an attack detailed in May, which relied on similar decoy documents for the distribution of Windows and macOS malware.

“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by #Lazarus for Mac,” ESET said on Twitter.

Targeting both Intel and Apple chips, the malware was designed to drop three files on the victim’s machine, including a decoy PDF document, a bundle package, and a downloader named ‘safarifontagent’.

The bundle has a signing timestamp of July 21, which suggests that it was built to be part of a new instance of the campaign. The certificate used to sign it, however, was issued in February 2022 to developer ‘Shankey Nohria’.

Advertisement. Scroll to continue reading.

“The application is not notarized and Apple has revoked the certificate on August 12,” ESET notes.

According to the security firm, the downloader was designed to reach out to a remote command-and-control (C&C) server, but the researchers could not retrieve a payload from it.

Earlier this month, security researchers observed a Windows counterpart of the malware, which would drop the exact same decoy document.

Related: US Offers $10 Million for Information on North Korean Hackers

Related: U.S. Details North Korean Malware Used in Attacks on Defense Organizations

Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.