North Korean Lazarus hackers target macOS users interested in Crypto job opportunities. According to SentinelOne cybersecurity company, a latest variant of the campaign decoys documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.
Earlier in August Slovak cybersecurity firm ESET stumbled upon a similar phony job posting for the Coinbase cryptocurrency exchange platform.
These are the latest job advertisements created by fake organizations called In(ter)ception as part of a broader campaign under the name Dream Job.
Suspected targets are other users of LinkedIn, who are contacted via private messages on the website.
The downloader, a similar version of the safarifontagent library employed in the Coinbase attack chain, subsequently acted as a conduit for a very basic second stage bundle. The name of this hidden malware is WifiAnalyticsServ.app.” It’s basically a copycat version of FinderFontsUpdater.app.
The second stage of the malware is just a downloader, which downloads the third stage, wifianalyticsagent. SentinelOne researchers Dinesh Devadoss and Phil Stokes said, “This functions as a downloader from a [command-and-control] server.”
Because the C2 server that hosts this malicious software is offline, it’s unknown what the final payload was.
Hackers have been attacking blockchain platforms to steal digital funds. These thieves have a history of attacks and one group, the Lazarus Group, is especially successful.
No effort was made to encrypt the malware, but this might indicate shorter-term campaigns.