Job seekers

Job seekers targeted by Lazarus Group hack

The North Korean state-backed Lazarus Group has been observed targeting job seekers with malware capable of running on Apple Macs with Intel and M1 chipsets.

ESET, a Slovak cybersecurity companylinked these events to a campaign dubbed “Operation In(ter)ception” which was first disclosed in June 2020 and involved the use of social engineering tactics to induce employees working in the military and aerospace sectors to open fake job offer documents.

The latest attack is no different in that a job description for a Coinbase cryptocurrency exchange was used as a launching pad to drop a signed Mach-O executable.

The company tweeted: “Malware is compiled for both Intel and Apple Silicon. It removes three files: a decoy PDF document “Coinbase_online_careers_2022_07.pdf”, a set “FinderFontsUpdater.app”, and a downloader “safarifontagent”.

The decoy file, while sporting the .PDF extension, is actually a Mach-O executable that works like a dropper to launch FinderFontsUpdater, which in turn runs safarifontsagent, a downloader designed to fetch payloads from the next step from a remote server.

ESET said the decoy was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apply began the process of revoking the certificate from August 12.

It should be noted that the malware is cross-platform.

In July, it emerged that the Axie Infinity hack attributed to the Lazarus Group was the result of one of its former employees being duped by a fake job posting on LinkedIn.