New Attack by Lazarus
Advanced Persistent Threat (APT) Lazarus linked to North Korea is increasing its attack base with current operation In(ter)caption campaign, which targets Macs with M1 chip of Apple. The state-sponsored group continues to launch phishing attacks under the disguise of fake job opportunities.
Threat experts at ESET (endpoint detection provider) alerted this week that they found a Mac executable disguised as a job details for an engineering manager position at the famous cryptocurrency exchange operator Coinbase. ESET's warning on twitter says that Lazarus posted the fake job offer to Virus total from Brazil.
Operation In(ter)ception
"The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity," reports DarkReading
Lazarus made the latest rebuild of the malware, Interception.dll, to deploy on Macs via loading three files- FinderFontsUpdater.app and safarifontsagent, fake Coinbase job offers and two executables. The binary can exploit Macs packed with Intel processors and with Apple's new M1 chipset.
ESET experts began researching Operation In(ter)ception around three years back when the experts found attacks against military and aerospace companies.
They observed that the operation's main goal was surveillance, but it also found incidents of the threat actors using a target's email account through a business email compromise (BEC) to finalize the operation.
The interception.dll malware posts fake job offers to bait innocent victims, usually via LinkedIn. The Mac attack is the most recent one in a continuing aggressive front by Lazarus group to promote operation In(ter)ception, which has aggravated recently. ESET released a detailed white paper on the technique incorporated by Lazarus in 2020.
It's an irony that the fake Coinbase job posting targets technically oriented people. The experts think that the threat actors were in direct contact, which means the victim was prompted to open whatever pop-up windows showed up on the screen to see the "dream job" offer from Coinbase.
Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, saysPeter Kalnai, a senior malware researcher for ESET.
