Fake Jobs on Coinbase: Espionage Campaign by Lazarus Group
North Korea state-sponsored hackers, Lazarus Group are luring job seekers who use Apple products with fake jobs. The malware is delivered through phishing links on emails.
North Korea-backed cyber-criminal gang, Lazarus group has launched a fake job campaign for candidates on LinkedIn. Lazarus Group or Whois Team targets job seekers who use Apple’s Mac devices that run on Intel and M1 chipsets. The job details were uploaded to VirusTotal from Brazil. The descriptions have Mac executable codes camouflaged for the position of engineering manager.
Spying efforts targeted toward specific candidates
Job seekers are lured toward phishing emails with fake promises like a position at a popular cryptocurrency exchange operator, Coinbase. Researchers at ESET found that the phishing links on these emails can spy on the users and can affect both Intel and Apple Silicon. This malware uses Interception.dll and can be effectively executed on several Mac devices.
Infected files sent in fake job emails
The fake job offers have other files including a PDF document and two other executables. The executables include FinderFontsUpdater.app and safarifontsagent.
A screenshot of the job offer was posted by ESET on its Twitter that read, “We’re Coinbase. We’re the world’s most trusted way to join the crypto revolution, serving more than 89 million accounts in more than 100 countries…. we look for candidates who will thrive in a culture like ours, where we default to trust, embrace feedback, and disrupt ourselves.” The job offer is worded like those that are crafted by most companies on their websites. The candidates are enticed by the language, job description, and perks that most companies use.
Action by Apple after being notified about fake job malware
The certificate that was used to spread the malware on Apple devices is revoked by Apple since ESET alerted the company. However, the malware may become effective if users who do not know about the fake job offers allow permissions to malicious apps by changing their device settings.
Past crime report of Lazarus Group
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT
— ESET research (@ESETresearch) August 16, 2022
ESET further mentioned in its tweet that this spying campaign is part of Lazarus’s ongoing Operation In(ter)caption campaign. The Advanced Persistent Threat (APT) actor has been in eyes of cybersecurity departments across the globe for years.
