The Lazarus Group are North Korean hackers who at the moment are sending unsolicited and fake crypto jobs targeted toward Apple’s macOS operating system. The hacker group has deployed malware which conducts the attack.
This latest variant of the campaign is being scrutinised by the cybersecurity company SentinelOne.
The cybersecurity company came upon that the hacker group used decoy documents for advertising positions for the Singapore-based cryptocurrency exchange platform known as Crypto.com and is finishing up the hacks accordingly.
The newest variant of the hacking campaign has been referred to as “Operation In(ter)ception”. Reportedly, the phishing marketing campaign solely targets Mac users by far.
The malware used for the hacks has been found to be similar to the ones utilized in faux Coinbase job postings.
Last month, researchers observed and came upon that Lazarus used faux Coinbase job openings to trick solely macOS users into downloading malware.
How Did The Group Conduct Hacks On the Crypto.com Platform
This has been thought-about to be an orchestrated hack. These hackers have camouflaged malware as job postings from well-liked crypto exchanges.
This is carried out by utilizing well-designed and legitimate-seeming PDF documents displaying advertising vacancies for various positions, similar to Art Director-Concept Art (NFT) in Singapore.
According to a report from SentinelOne, this new crypto job lure included focusing on other victims by contacting them on LinkedIn messaging by Lazarus.
Providing further particulars regarding the hacker campaign, SentinelOne said,
Although it is not clear at this stage how the malware is being distributed, earlier reviews advised that menace actors were attracting victims by way of focused messaging on LinkedIn.
These two faux job advertisements are simply the latest in a bunch of assaults which have been known as Operation In(ter)ception, and which in turn is part of a broader marketing campaign which falls beneath the broader hacking operation referred to as Operation Dream Job.
Related Reading: STEPN Partners With The Giving Block To Enable Crypto Donations For Nonprofits
Less Clarity On How The Malware Is Being Distributed
The security company wanting into this talked about that it’s nonetheless unclear as to how the malware is being circulated.
Considering the technicalities, SentinelOne mentioned that the first stage dropper is a Mach-O binary, which is the same as a template binary that has been used within the Coinbase variant.
The first stage consists of creating a brand new folder in the user’s library that drops a persistence agent.
The major purpose of the second stage is to extract and execute the third-stage binary, which acts as a downloader from the C2 server.
The advisory learn,
The threat actors have made no effort to encrypt or obfuscate any of the binaries, probably indicating short-term campaigns and/or little worry of detection by their targets.
SentinelOne also mentioned that Operation In(ter)ception additionally seems to be extending the targets from users of crypto exchange platforms to their workers, as it seems like “what may be a combined effort to conduct both espionage and cryptocurrency theft.”
Bitcoin was priced at $19,400 on the one-day chart | Source: BTCUSD on TradingView