MacOS Users targeted by Lazarus Hackers

  • The Lazarus Group are North Korean hackers
  • The hackers are now sending unsolicited and fake crypto jobs
  • Latest variant of the campaign is being scrutinized by SentinelOne

The Lazarus Group is a group of North Korean hackers who are currently sending fake crypto jobs to Apple’s macOS operating system without asking for them. The malware used by the hacker group is what launches the attack.

The cybersecurity firm SentinelOne is looking into this most recent variant of the campaign.

The cybersecurity firm has determined that the hacker group advertised positions for the Singapore-based cryptocurrency exchange platform Crypto.com using decoy documents, and it is carrying out the attacks accordingly.

How Did The Group Conduct Hacks?

Operation In(ter)ception is the name given to the most recent variant of the hacking campaign. According to reports, the phishing campaign primarily targets Mac users.

It has been discovered that the malware used in the hacks is the same as the malware used in bogus job postings on Coinbase.

It has been suggested that this was a planned hack. Malware has been disguised by these hackers as job postings from popular cryptocurrency exchanges.

This is done with well-designed and legitimate-looking PDF documents that advertise openings for Singapore-based positions like Art Director-Concept Art (NFT). SentinelOne’s report says that Lazarus used LinkedIn messaging to contact other victims as part of this new crypto job lure.

ALSO READ: More Than 3000 BTC Transfers Took The Spotlight

First stage dropper is a Mach-O binary – SentinelOne 

These two fake job ads are just the most recent in a string of attacks that have been dubbed Operation In(ter)ception and are, in turn, a part of a larger campaign that is part of the larger hacking operation known as Operation Dream Job. Both of these campaigns are part of the larger operation.

The security company looking into this said that the way the malware is getting around is still a mystery. SentinelOne stated that the first stage dropper is a Mach-O binary, which is the same as the template binary utilized in the Coinbase variant, taking into account the specifics.

The first step involves dropping a persistence agent into a brand-new folder in the user’s library.

The extraction and execution of the third-stage binary, which serves as a downloader from the C2 server, is the primary function of the second stage.

Source: https://www.thecoinrepublic.com/2022/09/29/macos-users-targeted-by-lazarus-hackers/