• World CyberCon India
Firewall Daily Hacks

Fake Jobs on Coinbase: Espionage Campaign by Lazarus Group

North Korea state-sponsored hackers, Lazarus Group are luring job seekers who use Apple products with fake jobs. The malware is delivered through phishing links on emails.

Fake Jobs on Coinbase: Espionage Campaign by Lazarus Group
  • PublishedAugust 22, 2022

North Korea-backed cyber-criminal gang, Lazarus group has launched a fake job campaign for candidates on LinkedIn. Lazarus Group or Whois Team targets job seekers who use Apple’s Mac devices that run on Intel and M1 chipsets. The job details were uploaded to VirusTotal from Brazil. The descriptions have Mac executable codes camouflaged for the position of engineering manager.

Spying efforts targeted toward specific candidates

Job seekers are lured toward phishing emails with fake promises like a position at a popular cryptocurrency exchange operator, Coinbase. Researchers at ESET found that the phishing links on these emails can spy on the users and can affect both Intel and Apple Silicon. This malware uses Interception.dll and can be effectively executed on several Mac devices.

Infected files sent in fake job emails

The fake job offers have other files including a PDF document and two other executables. The executables include FinderFontsUpdater.app and safarifontsagent.

A screenshot of the job offer was posted by ESET on its Twitter that read, “We’re Coinbase. We’re the world’s most trusted way to join the crypto revolution, serving more than 89 million accounts in more than 100 countries…. we look for candidates who will thrive in a culture like ours, where we default to trust, embrace feedback, and disrupt ourselves.” The job offer is worded like those that are crafted by most companies on their websites. The candidates are enticed by the language, job description, and perks that most companies use.

Action by Apple after being notified about fake job malware

The certificate that was used to spread the malware on Apple devices is revoked by Apple since ESET alerted the company. However, the malware may become effective if users who do not know about the fake job offers allow permissions to malicious apps by changing their device settings.

Past crime report of Lazarus Group

ESET further mentioned in its tweet that this spying campaign is part of Lazarus’s ongoing Operation In(ter)caption campaign. The Advanced Persistent Threat (APT) actor has been in eyes of cybersecurity departments across the globe for years.


Written By

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.