The notorious North Korea-based Lazarus hacking group is back in action, targeting Apple Mac users with fake job emails that contain malicious files.
Researchers at cyber-security firm ESET posted a screenshot on Twitter that showed fake job listings from leading crypto exchange Coinbase by Lazarus, famous for spreading the WannaCry ransomware globally in 2017.
The fake job listing was for an engineering manager, product security, at Coinbase.
“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation by Lazarus for Mac,” the ESET researchers posted in a tweet.
The fake job emails have an attachment containing malicious files that can compromise both Intel and Apple chip-powered Mac computers.
“Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document, a bundle, and a downloader,” warned researchers.
The Mac malware campaign is new and not part of previous Lazarus campaigns.
This time, “the bundle is signed on July 21 (according to the timestamp) using a certificate issued in February 2022 to a developer named Shankey Nohria. The application is not notarised and Apple revoked the certificate on August 12, “the researchers noted.
Last month, cyber-security researchers linked Lazarus with stealing $100 million worth of digital tokens from Harmony, the crypto startup behind Horizon Blockchain Bridge.
The Lazarus Group has perpetrated several large cryptocurrency thefts totalling over $2 billion, and has recently turned its attention to decentralised finance (DeFi) services such as cross-chain bridges, according to London-based blockchain analysis provider Elliptic.
The same group is believed to be behind the $540 million hack of Ronin Bridge.