Mac Attack: North Koreas Lazarus APT Targets Apples M1 Chip

  /     /     /  
Publicated : 23/11/2024   Category : security


Mac Attack: North Koreas Lazarus APT Targets Apples M1 Chip


Lazarus continues to expand an aggressive, ongoing spy campaign, using fake Coinbase job openings to lure in victims.



North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apples M1 chip.
The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator
Coinbase
.
According to
ESETs warning on Twitter
, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apples new M1 chipset.
ESET researchers started investigating
Operation In(ter)ception
nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaigns primary goal was espionage, although it also found instances of the attackers using a victims email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.
The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has
escalated in recent months
. ESET published
a detailed white paper
on the tactic by Lazarus two years ago.
Ironically, the appealing Coinbase job posting targets technically oriented people.
We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the dream job offer from Coinbase, Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.
Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.
The certificate has been revoked, so its not possible to execute it until the user adds it to allowed applications, he said. Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate.
The
ongoing campaign
and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus
for stealing $625 million
in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.
Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.
North Korea has been able to acquire skills that may be required to craft really fast, says Grotto, who is now director of the
Center for International Security and Cooperation at Stanford Universitys
program on geopolitics, technology and governance. They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mac Attack: North Koreas Lazarus APT Targets Apples M1 Chip