The notorious Lazarus hacking group, based in North Korea, is back in action, sending out fake job emails containing malicious files to Apple Mac users.
Researchers at cyber-security firm ESET shared a screenshot on Twitter of fake job listings from leading crypto exchange Coinbase by Lazarus, which was responsible for the global spread of the WannaCry ransomware in 2017.
The phoney job posting at Coinbase was for an engineering manager, product security.
“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation by Lazarus for Mac,” the ESET researchers posted in a tweet.
The bogus job emails include an attachment containing malicious files that can infect both Intel and Apple chip-powered Mac computers.
“Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document, a bundle and a downloader,” warned researchers.
The Mac malware campaign is brand new and has nothing to do with previous Lazarus campaigns.
This time around, “The bundle is signed on July 21 (according to the timestamp) with a certificate issued to a developer named Shankey Nohria in February 2022. The application is not notarized, and on August 12, Apple revoked the certificate “The researchers made this observation.
Last month, cyber-security researchers connected Lazarus to the theft of $100 million in digital tokens from Harmony, the cryptocurrency startup behind Horizon Blockchain Bridge.
According to London-based blockchain analysis provider Elliptic, the Lazarus Group has committed several large cryptocurrency thefts totaling more than $2 billion and has recently turned its attention to Decentralised Finance (DeFi) services such as cross-chain bridges.
The same group is suspected of being behind the $540 million Ronin Bridge hack.
