Lazarus Group's New Malware Campaign Targets Job Seekers on Macs
The North Korean Lazarus Group has launched a malware campaign targeting job seekers by leveraging fake job descriptions for prominent companies like Coinbase. This sophisticated social engineering tactic aims to infect Macs on both Intel and M1 chipsets, using a Mach-O executable disguised as a PDF. Here’s what you need to know.
2024-01-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
North Korean Lazarus Group Targets Mac Users with Job Offer Malware
In a striking example of social engineering, North Korea’s Lazarus Group has set its sights on job seekers, using fake job offers to deliver malware designed to infect Apple Macs. This malicious campaign is a sobering reminder of how cybercriminals adapt to new technologies and vulnerabilities, targeting job applicants across military, aerospace, and now cryptocurrency sectors. Here’s a deep dive into the campaign and how you can protect your organization from these advanced threats.
The Evolution of Lazarus Group’s Tactics
Lazarus Group is infamous for targeting specific sectors with advanced persistent threats (APTs). In 2020, their “Operation In(ter)ception” campaign set the precedent, using job ads in the military and aerospace sectors to lure individuals into opening malicious files. This time, they’ve set their sights on cryptocurrency firms like Coinbase, highlighting their adaptability in targeting industries where data breaches can have high financial and security implications.
The ESET security firm recently identified malware disguised as a Coinbase job description, which can run on Apple Macs powered by both Intel and M1 chipsets. This attack leverages the Mach-O executable, enabling it to target a broader base of Apple users by running natively across older and newer Mac models.
How the Malware Works
1. Bait and Infect with a Fake PDF
Lazarus Group’s latest attack begins with a fake PDF named “Coinbase_online_careers_2022_07.pdf,” which is actually a Mach-O executable file. Instead of a simple document, this executable acts as a dropper to initiate the infection process.
When the unsuspecting victim opens this “PDF,” it runs the FinderFontsUpdater package as a background process. This step doesn’t reveal any signs of malicious activity to the user, allowing the malware to operate undetected.
2. A Multi-Stage Infection Process
After running the FinderFontsUpdater, the malware initiates a second payload, launching an installer called safarifontsagent. This agent connects to a remote server, where it can download additional malicious files or data, potentially gaining access to sensitive information or further embedding itself within the infected system. The malware’s multi-stage execution shows how advanced the Lazarus Group’s capabilities have become, designed specifically to evade detection.
3. Targeting MacOS: Why It Matters
With Apple’s market share continuing to grow, Macs are increasingly attractive targets for cybercriminals. While macOS has a reputation for strong security, its widespread adoption by remote workers has made it a valuable target for APTs. Moreover, the Lazarus Group’s focus on ensuring compatibility with both Intel and M1 chips demonstrates their intention to compromise as many users as possible, regardless of their device's processor.
Social Engineering Tactics at Play
At the core of this campaign lies an effective social engineering strategy. Lazarus uses legitimate-seeming job descriptions from a highly regarded firm like Coinbase to entice individuals actively seeking employment. This form of phishing capitalizes on victims’ trust in familiar brands and their eagerness to find career opportunities.
Using job postings as bait also gives Lazarus Group another layer of legitimacy, reducing the likelihood of raising suspicions among victims. Given the job market's competitive nature, it’s unsurprising that job seekers may overlook security measures, unknowingly falling into these traps.
Defensive Measures for Organizations and Job Seekers
Both companies and individuals need to take preventive steps to avoid falling victim to such attacks:
1. Awareness Training on Job-Related Phishing Risks
To reduce the chances of employees falling victim to job-offer scams, organizations should invest in Security Awareness Training that focuses on phishing simulation exercises. By educating staff on the risks of targeted attacks like these, companies can improve their workforce’s ability to detect red flags in suspicious messages. Security Awareness Training not only builds individual awareness but strengthens overall organizational security.
2. Enhanced File Validation
Organizations should encourage employees to verify the legitimacy of any job-related documents. For instance, a true PDF file has a distinct signature, while an executable like a Mach-O file could signal malware. File validation software can also be used to scan and identify potentially harmful file types before they’re opened.
3. Endpoint Detection and Response (EDR)
An EDR system can help identify and isolate malware as soon as it attempts to execute. Endpoint security systems can detect suspicious activities, like the Mach-O executable, even if the initial bait (e.g., a job application) seems legitimate. Implementing tools such as incident response platforms also ensures rapid containment of potential threats.
4. Vulnerability Management and Regular Updates
Since the malware targets specific chipsets, maintaining up-to-date software can mitigate vulnerabilities. Apple frequently patches security flaws in macOS, and enabling automatic updates can reduce exposure to known exploits.
5. Limit Access to Sensitive Information
Implementing strict access controls minimizes damage if a device does get infected. For example, companies should restrict access to sensitive documents and systems to only those who absolutely need it.
The Road Ahead: Lazarus Group’s Future Strategies
Lazarus Group's continued evolution suggests they may target even more diverse sectors as they refine their techniques. Their campaigns now target not only employees in government and defense but also job seekers in civilian industries like finance and tech. As long as they continue to use social engineering and malware tailored for specific operating systems, both companies and individuals need to stay vigilant and adopt proactive security measures.
For organizations, taking advantage of Human Risk Management Platforms can centralize training and response efforts, helping mitigate these social engineering threats more effectively. Learn more about building an effective, human risk management program that keeps your teams protected.
Editor's Note: This blog was updated on November 14, 2024.
SHARE ON