The Lazarus Group is using Crypto.com to ship malware to macOS devices

The Lazarus Group is using Crypto.com to ship malware to macOS devices

The clandestine criminal organization continues to find new ways to steal cryptocurrency

The infamous Lazarus Group has continued its pattern of taking advantage of unsolicited job opportunities to deploy malware targeting Apple’s macOS operating system. This North Korean hacking group uses fake job offers from Crypto.com to lure artists and developers into the crypto space and potentially steal their long-term digital assets.

In the latest variant of the campaign spotted by cybersecurity firm SentinelOne last week, the decoy documents advertise positions for Singapore-based cryptocurrency exchange firm Crypto.com. According to an advisory published Monday, the new attacks would represent a further instance of a campaign detected by ESET and Malwarebytes in August and attributed to Lazarus Group, an advanced persistent threat linked to North Korea.

These fake job ads are just the latest in a series of attacks dubbed Operation In(ter)ception, which, in turn, is a component of a broader campaign tracked under the name Operation Dream Job. While the exact distribution vector for the malware is unknown, it is suspected that potential targets are being singled out through direct messages on the business networking site LinkedIn.

The intrusions begin with the deployment of a Mach-O binary, a dropper that opens the decoy PDF document containing job postings on Crypto.com. At the same time, in the background, deleting the Terminal saved state. The downloader, also similar to the safarifontagent library employed in the Coinbase attack chain, subsequently acts as a conduit for a basic second-stage package called “WifiAnalyticsServ.app,” which is a copied version of “FinderFontsUpdater.app.”

Attacks such as these are not isolated, as Lazarus Group has a history of cyberattacks on blockchain and cryptocurrency platforms as a mechanism to evade sanctions. This allows the criminal group to gain unauthorized access to enterprise networks and steal digital funds. Crypto users on Americas Cardroom are advised to be wary of advertisements such as these.

TRENDING NOW

JOIN NOW

Join the most trusted US poker site since 2001 and get a 100% bonus on your first deposit, up to $2,000 !

PLAY REAL MONEY POKER

STAY UP TO DATE

Stay up to date on the latest poker news through social media. Join us at Facebook/americascardroomeu and follow us @ACR_POKER on Twitter. We invite you to share ideas and reactions.

LATEST HEADLINES