The notorious Lazarus Group has continued its sample of leveraging unsolicited job alternatives to deploy malware concentrating on Apple’s macOS working system.
Within the newest variant of the marketing campaign noticed by cybersecurity firm SentinelOne final week, decoy paperwork promoting positions for the Singapore-based cryptocurrency change agency Crypto.com.
The newest disclosure builds on earlier findings from Slovak cybersecurity agency ESET in August, which delved into the same phony job posting for the Coinbase cryptocurrency change platform.
Each these faux job ads are simply the newest in a sequence of assaults dubbed Operation In(ter)ception, which, in flip, is a constituent of a broader marketing campaign tracked beneath the identify Operation Dream Job.
Though the precise distribution vector for the malware stays unknown, it is suspected that potential targets are singled out through direct messages on the enterprise networking website LinkedIn.
The intrusions start with the deployment of a Mach-O binary, a dropper that launches the decoy PDF doc containing the job listings at Crypto.com, whereas, within the background, it deletes the Terminal’s saved state (“com.apple.Terminal.savedState”).
The downloader, additionally much like the safarifontagent library employed within the Coinbase assault chain, subsequently acts as a conduit for a bare-bones second-stage bundle named “WifiAnalyticsServ.app,” which is a copycat model of “FinderFontsUpdater.app.”
“The principle objective of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent,” SentinelOne researchers Dinesh Devadoss and Phil Stokes stated. “This capabilities as a downloader from a [command-and-control] server.”
The ultimate payload delivered to the compromised machine is unknown owing to the truth that the C2 server chargeable for internet hosting the malware is at the moment offline.
These assaults will not be remoted, for the Lazarus Group has a historical past of finishing up cyber-assaults on blockchain and cryptocurrency platforms as a sanctions-evading mechanism, enabling the adversaries to achieve unauthorized entry to enterprise networks and steal digital funds.
“The risk actors have made no effort to encrypt or obfuscate any of the binaries, probably indicating short-term campaigns and/or little worry of detection by their targets,” the researchers stated.
