The Lazarus Group are North Korean hackers who are now sending unsolicited and fake crypto jobs targeted toward Apple’s macOS operating system. The hacker group has deployed malware which conducts the attack.
This latest variant of the campaign is being scrutinised by the cybersecurity company SentinelOne.
The cybersecurity company found out that the hacker group used decoy documents for advertising positions for the Singapore-based cryptocurrency exchange platform called Crypto.com and is carrying out the hacks accordingly.
The latest variant of the hacking campaign has been called “Operation In(ter)ception”. Reportedly, the phishing campaign only targets Mac users by far.
The malware used for the hacks has been found to be identical to the ones used in fake Coinbase job postings.
Last month, researchers observed and found out that Lazarus used fake Coinbase job openings to trick only macOS users into downloading malware.
How Did The Group Conduct Hacks On the Crypto.com Platform
This has been considered to be an orchestrated hack. These hackers have camouflaged malware as job postings from popular crypto exchanges.
This is conducted by using well-designed and legitimate-seeming PDF documents displaying advertising vacancies for various positions, such as Art Director-Concept Art (NFT) in Singapore.
According to a report from SentinelOne, this new crypto job lure included targeting other victims by contacting them on LinkedIn messaging by Lazarus.
Providing additional details regarding the hacker campaign, SentinelOne stated,
Although it is not clear at this stage how the malware is being distributed, earlier reports suggested that threat actors were attracting victims via targeted messaging on LinkedIn.
These two fake job advertisements are just the latest in a host of attacks which have been called Operation In(ter)ception, and which in turn is a part of a broader campaign which falls under the broader hacking operation called Operation Dream Job.
Less Clarity On How The Malware Is Being Distributed
The security company looking into this mentioned that it is still unclear as to how the malware is being circulated.
Considering the technicalities, SentinelOne said that the first stage dropper is a Mach-O binary, which is the same as a template binary that has been used in the Coinbase variant.
The first stage consists of creating a new folder in the user’s library that drops a persistence agent.
The primary purpose of the second stage is to extract and execute the third-stage binary, which acts as a downloader from the C2 server.
The advisory read,
The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets.
SentinelOne also mentioned that Operation In(ter)ception also seems to be extending the targets from users of crypto exchange platforms to their employees, as it looks like “what may be a combined effort to conduct both espionage and cryptocurrency theft.”