By: Ravie Lakshmanan
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple’s macOS operating system.
In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks.
The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which delved into a similar phony job posting for the Coinbase cryptocurrency exchange platform.
Both these fake job advertisements are just the latest in a series of attacks dubbed Operation In(ter)ception, which, in turn, is a constituent of a broader campaign tracked under the name Operation Dream Job.
Although the exact distribution vector for the malware remains unknown, it’s suspected that potential targets are singled out via direct messages on the business networking site LinkedIn.
The intrusions commence with the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal’s saved state (“com.apple.Terminal.savedState”).
The downloader, also similar to the safarifontagent library employed in the Coinbase attack chain, subsequently acts as a conduit for a bare-bones second-stage bundle named “WifiAnalyticsServ.app,” which is a copycat version of “FinderFontsUpdater.app.”
“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent,” SentinelOne researchers Dinesh Devadoss and Phil Stokes said. “This functions as a downloader from a [command-and-control] server.”
The final payload delivered to the compromised machine is unknown owing to the fact that the C2 server responsible for hosting the malware is currently offline.
These attacks are not isolated, for the Lazarus Group has a history of carrying out cyber-assaults on blockchain and cryptocurrency platforms as a sanctions-evading mechanism, enabling the adversaries to gain unauthorized access to enterprise networks and steal digital funds.
“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets,” the researchers said.