Infamous Lazarus hacking group targeting Mac users with fake job listings

SECURITY

Infamous North Korean hacking group Lazarus is attempting to target Apple Inc. Mac users via fake job offers.

Detailed Aug. 16 by security researchers at ESET s.r.o on Twitter, the new Lazarus campaign involves phony emails impersonating Coinbase Inc. developer job listings. The fake job emails include an attachment containing malicious files that can compromise both Intel and Apple chip-powered Mac computers.

The Mac malware drops three files: a decoy PDF document, a fake font updater app and a downloader called “safarifontagent.” The bundle of malicious files is timestamped July 21, indicating that the campaign is new, not part of previous Lazarus campaigns. That said, a certificate used to sign the malicious files was issued in February this year to a developer known as “Shankey Nohria.”

Other differences in the new campaign include a previously known Lazarus downloader “safarifontagent” connecting to a different command and control server. The ESET researchers noted that the C&C server did not respond at the time they attempted to analyze the threat.

The Lazarus Group has an extensive track record of targeting potential victims. The group is best known for being behind the spread of the WannaCry ransomware in 2017 but has regularly popped up since then. Previous campaigns include Lazarus targeting Linux systems in December. Lazarus was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular “Axie Infinity” game.

Although the campaign has so far been successfully blocked, the result could have been far worse. The campaign remains ongoing.

“This attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” Kevin Bocek, vice president of security strategy and threat intelligence at cybersecurity company Venafi Inc., told SiliconANGLE. “A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.”

Szilveszter Szebeni, chief information security officer and the co-founder at encryption-based security solutions company Tresorit AG, warned that while the attack has been successfully prevented, the threat is still there. “Since the certificate signing the executable has been revoked, it is hard to stop an attacker if an unsuspecting victim runs their code,” Szebeni said.

Szebeni noted that organizations have two options to prevent campaigns such as this — significantly limiting the executables that users are allowed to run by whitelisting trusted applications, or making sure that users do not run the applications from untrusted sources.

“While option A can potentially be effective, it can also be quite impossible for IT to process and run executables they come across to prevent this malware from infecting,” Szebeni noted.

Image: Slate/Wikimedia Commons