Lazarus Hackers Target macOS Users Interested in Crypto Jobs
Reading Time: < 1 minute

North Korean Lazarus hackers target macOS users interested in Crypto job opportunities. According to SentinelOne cybersecurity company, a latest variant of the campaign decoys documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.

Earlier in August Slovak cybersecurity firm ESET stumbled upon a  similar phony job posting for the Coinbase cryptocurrency exchange platform.

These are the latest job advertisements created by fake organizations called In(ter)ception as part of a broader campaign under the name Dream Job.

Suspected targets are other users of LinkedIn, who are contacted via private messages on the website.

The bad actors start by deploying a dropper, which launches a decoy PDF file with job listings at Crypto.com. They delete the saved state of the Terminal in the background.

The downloader, a similar version of the safarifontagent library employed in the Coinbase attack chain, subsequently acted as a conduit for a very basic second stage bundle. The name of this hidden malware is WifiAnalyticsServ.app.” It’s basically a copycat version of FinderFontsUpdater.app.

The second stage of the malware is just a downloader, which downloads the third stage, wifianalyticsagent. SentinelOne researchers Dinesh Devadoss and Phil Stokes said, “This functions as a downloader from a [command-and-control] server.”

Because the C2 server that hosts this malicious software is offline, it’s unknown what the final payload was.

Hackers have been attacking blockchain platforms to steal digital funds. These thieves have a history of attacks and one group, the Lazarus Group, is especially successful.

No effort was made to encrypt the malware, but this might indicate shorter-term campaigns.

Related Articles:
Optus Breach Hackers Release 10200 Customer Records in Extortion Scheme
3 Hacktivist Groups Supporting Russian Interests
UK Police Arrest Teenager Suspected in Uber and GTA 6 Hacks