"APT Lazarus Targets Engineers with macOS Malware"

The North Korean Advanced Persistent Threat (APT) group Lazarus is back with a cyberespionage campaign targeting engineers via a fake job posting that attempts to spread macOS malware. The campaign's malicious Mac executable targets both Apple and Intel chip-based systems. The campaign, discovered by ESET Research Labs researchers, impersonates cryptocurrency trader Coinbase in a job posting claiming to be looking for an engineering manager for product security. The recent campaign, dubbed Operation In(ter)ception, distributes a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil. According to the researchers, the malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy. However, according to its timestamp, the most recent malware was signed on July 21, indicating that it is either new or a variant of the previous malware. It employs a certificate issued in February 2022 to a developer named Shankey Nohria and revoked by Apple on August 12. The app was not notarized. Operation In(ter)ception has a companion Windows version of the malware that uses the same decoy and was discovered on August 4 by Malwarebytes threat intelligence researcher Jazi. In addition, the malware used in the campaign communicates with a different command-and-control (C2) infrastructure than the malware discovered in May. This article continues to discuss Lazarus using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

Threatpost reports "APT Lazarus Targets Engineers with macOS Malware"