"North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs"

The Lazarus Group has continued deploying malware targeting Apple's macOS operating system via unsolicited job opportunities. Researchers at SentinelOne have observed the latest variant of the campaign, which includes decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm "Crypto.com." The latest discovery builds on previous findings from the Slovak cybersecurity firm ESET in August, when it investigated a similar fraudulent job posting for the Coinbase cryptocurrency exchange platform. These fake job advertisements are the latest in a series of attacks known as "Operation In(ter)ception," which is part of a larger campaign called Operation Dream Job. Although the malware's exact distribution vector is unknown, it is suspected that potential targets are established through direct messages on the business networking site LinkedIn. The intrusions begin with the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com while deleting the Terminal's saved state in the background. The downloader, which is similar to the safarifontagent library used in the Coinbase attack chain, then acts as a conduit for a bare-bones second stage bundle. The primary goal of the second stage is to extract and execute the binary from the third stage. The final payload delivered to the compromised machine is unknown because the command-and-control (C2) server hosting the malware is currently unavailable. This article continues to discuss the Lazarus Group targeting macOS users interested in cryptocurrency job positions.

THN reports "North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs"