North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apple’s M1 chip.
The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase.
According to ESET’s warning on Twitter, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apple’s new M1 chipset.
ESET researchers started investigating Operation In(ter)ception nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaign’s primary goal was espionage, although it also found instances of the attackers using a victim’s email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.
The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has escalated in recent months. ESET published a detailed white paper on the tactic by Lazarus two years ago.
Risk Mitigated by Apple
Ironically, the appealing Coinbase job posting targets technically oriented people.
“We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the ‘dream job’ offer from Coinbase,” Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.
Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.
“The certificate has been revoked, so it’s not possible to execute it until the user adds it to allowed applications,” he said. “Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate.”
The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.
Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.
“North Korea has been able to acquire skills that may be required to craft really fast,” says Grotto, who is now director of the Center for International Security and Cooperation at Stanford University’s program on geopolitics, technology and governance. “They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes.”