UPDATED 20:40 EDT / AUGUST 18 2022

SECURITY

Infamous Lazarus hacking group targeting Mac users with fake job listings

Infamous North Korean hacking group Lazarus is attempting to target Apple Inc. Mac users via fake job offers.

Detailed Aug. 16 by security researchers at ESET s.r.o on Twitter, the new Lazarus campaign involves phony emails impersonating Coinbase Inc. developer job listings. The fake job emails include an attachment containing malicious files that can compromise both Intel and Apple chip-powered Mac computers.

The Mac malware drops three files: a decoy PDF document, a fake font updater app and a downloader called “safarifontagent.” The bundle of malicious files is timestamped July 21, indicating that the campaign is new, not part of previous Lazarus campaigns. That said, a certificate used to sign the malicious files was issued in February this year to a developer known as “Shankey Nohria.”

Other differences in the new campaign include a previously known Lazarus downloader “safarifontagent” connecting to a different command and control server. The ESET researchers noted that the C&C server did not respond at the time they attempted to analyze the threat.

The Lazarus Group has an extensive track record of targeting potential victims. The group is best known for being behind the spread of the WannaCry ransomware in 2017 but has regularly popped up since then. Previous campaigns include Lazarus targeting Linux systems in December. Lazarus was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular “Axie Infinity” game.

Although the campaign has so far been successfully blocked, the result could have been far worse. The campaign remains ongoing.

“This attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” Kevin Bocek, vice president of security strategy and threat intelligence at cybersecurity company Venafi Inc., told SiliconANGLE. “A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.”

Szilveszter Szebeni, chief information security officer and the co-founder at encryption-based security solutions company Tresorit AG, warned that while the attack has been successfully prevented, the threat is still there. “Since the certificate signing the executable has been revoked, it is hard to stop an attacker if an unsuspecting victim runs their code,” Szebeni said.

Szebeni noted that organizations have two options to prevent campaigns such as this — significantly limiting the executables that users are allowed to run by whitelisting trusted applications, or making sure that users do not run the applications from untrusted sources.

“While option A can potentially be effective, it can also be quite impossible for IT to process and run executables they come across to prevent this malware from infecting,” Szebeni noted.

Image: Slate/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.