Skip to main content
banner image
venafi logo

North Korea Cyber Threat Group ‘Lazarus’ Targets M1 Mac with Signed Executables

North Korea Cyber Threat Group ‘Lazarus’ Targets M1 Mac with Signed Executables

August 23, 2022 | Brooke Crothers

Lazarus is back. This time it's hiding malware in a signed Mac executable disguised as a job description for Coinbase. Code signing certificates has become the modus operandi for North Korean Advanced Persistent Threat (APT) groups.

Get Fast, Easy, and Secure Enterprise-Grade Code Signing With Venafi!
M1 MacBook and Intel

The malware, Interception.dll, is designed to execute by loading three files: a decoy PDF document and two executables and safarifontagent, according to a series of tweets by ESET Research.

Compiled for M1 processor-based Macs and Intel silicon, the malware was uploaded to VirusTotal from Brazil, ESET said.

To reach their targets, the attackers used social engineering via LinkedIn, “hiding behind the ruse of attractive, but bogus, job offers,” ESET said, adding that it was likely part of the Lazarus campaign for Mac and is similar to research done by ESET in May.

Late last week, Apple revoked the certificate that enabled the malware to execute after ESET alerted the company to the campaign, according to Dark Reading. As a result, Macs with macOS Catalina v10.15 and later are protected, as long as the user has basic security awareness, Peter Kalnai, a senior malware researcher for ESET, told the cybersecurity publication.

Long History

The Lazarus cyber collective has been operating for more than 10 years “with the North Korean government's blessing,” as noted by Forbes. One of its highest-profile heists was the theft of over $600 million worth of cryptocurrency from the gaming-centric Ronin Network, an Ethereum-compatible blockchain.

And Lazarus has been linked to the WannaCry ransomware in May 2017 that impacted hospitals, governments and businesses around the world, resulting in an estimated $4 billion in losses, among other incidents (see below).

Lazarus had made a name for itself with cyber-espionage

One of the primary goals of the operation has been espionage, ESET said in a blog post in 2020 when it first uncovered “Operation In(ter)caption.” The APT group had been conducting targeted attacks against aerospace and military companies in Europe and the Middle East in the last few months of 2019, ESET said at that time.

The group "has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” said Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi.

Venafi research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence, Bocek said, adding that the money from attacks is being funnelled directly into the North Korea’s weapons programs.

Longstanding interest in malicious use of machine identities

 “A key component of the attack is the use of a signed executable disguised as a job description,” according to Bocek.  

Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the “keys to the castle, securing communication between machines of all kinds, from servers to applications to Kubernetes clusters and microservices,” Bocek said.

“We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks,” according to Bocek citing incidents such as the 2014 Sony Hack and the $101 million Bangladesh Bank cyber hack via the SWIFT banking system.

These attacks have demonstrated North Korea’s long-standing interest in the malicious use of machine identities, which is a blind spot for many organizations.  The Lazarus group understands machine identity and exploits it effectively, Bocek said.

Related Posts

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more