Consultants have warned that the damaging Lazarus group is now focusing on Web3 builders on Mac units.
The North Korean state-sponsored menace actor just lately went after blockchain builders with faux profitable job presents that turned out to be nothing greater than infostealers and malware (opens in new tab).
Whereas these assaults had been restricted to Home windows customers at first, cybersecurity researchers from ESET have now found they’re increasing into Apple territory, too.
Intel and Apple chips attacked
The marketing campaign is just about the identical for each platforms. The group would impersonate Coinbase, one of many largest and hottest cryptocurrency exchanges on this planet, and attain out to blockchain builders by way of LinkedIn and different platforms with a job supply. After a bit back-and-forth, and some rounds of “interviews”, the attacker would serve the sufferer what appears to be a .pdf file with the job place’s particulars.
The file’s identify is Coinbase_online_careers_2022_07, and whereas it appears like a .pdf (icon and all), it’s truly a malicious DLL that permits Lazarus to ship instructions to the contaminated endpoint. The file is compiled for Macs with each Intel and Apple processors, the researchers additional found, suggesting that the group is after each older, and newer machine fashions.
Detailing the assault by way of Twitter, the researchers stated the malware drops three information: the bundle FinderFontsUpdater.app, the downloader safarifontagent, and a decoy PDF known as “Coinbase_online_careers_2022_07.pdf”.
Lazarus Group is not any stranger to faux job supply assaults, and it’s performed these assaults prior to now with a lot success. In reality, one of many largest cryptocurrency heists in historical past, the $600+ million-heavy assault on the Ronin bridge, was finished in that precise method.
After reaching out to a software program engineer and luring him into downloading the faux .pdf file, the attackers from Lazarus discovered their approach into the system, obtained the mandatory credentials, and siphoned out hundreds of thousands in cryptocurrency tokens.
On this case, nonetheless, the malware was signed on July 21, with a certificates issued to a developer going by the identify Shankey Nohria. The crew identifier was 264HFWQH63. Whereas the certificates had not been revoked on August 12 when it was checked, BleepingComputer experiences, the researchers did discover that Apple didn’t scan it for malicious parts.
By way of: BleepingComputer (opens in new tab)
:contrast(5):saturation(1.16)/https%3A%2F%2Fprod.static9.net.au%2Ffs%2Fa521a821-8701-47e1-a6c6-ab251c2e75ff "Razzie Awards 2025: Cate Blanchett scores rare nomination during awards season")
