Lazarus is back. This time it's hiding malware in a signed Mac executable disguised as a job description for Coinbase. Code signing certificates has become the modus operandi for North Korean Advanced Persistent Threat (APT) groups.
The malware, Interception.dll, is designed to execute by loading three files: a decoy PDF document and two executables FinderFontsUpdater.app and safarifontagent, according to a series of tweets by ESET Research.
Compiled for M1 processor-based Macs and Intel silicon, the malware was uploaded to VirusTotal from Brazil, ESET said.
To reach their targets, the attackers used social engineering via LinkedIn, “hiding behind the ruse of attractive, but bogus, job offers,” ESET said, adding that it was likely part of the Lazarus campaign for Mac and is similar to research done by ESET in May.
Late last week, Apple revoked the certificate that enabled the malware to execute after ESET alerted the company to the campaign, according to Dark Reading. As a result, Macs with macOS Catalina v10.15 and later are protected, as long as the user has basic security awareness, Peter Kalnai, a senior malware researcher for ESET, told the cybersecurity publication.
The Lazarus cyber collective has been operating for more than 10 years “with the North Korean government's blessing,” as noted by Forbes. One of its highest-profile heists was the theft of over $600 million worth of cryptocurrency from the gaming-centric Ronin Network, an Ethereum-compatible blockchain.
And Lazarus has been linked to the WannaCry ransomware in May 2017 that impacted hospitals, governments and businesses around the world, resulting in an estimated $4 billion in losses, among other incidents (see below).
One of the primary goals of the operation has been espionage, ESET said in a blog post in 2020 when it first uncovered “Operation In(ter)caption.” The APT group had been conducting targeted attacks against aerospace and military companies in Europe and the Middle East in the last few months of 2019, ESET said at that time.
The group "has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” said Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi.
Venafi research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence, Bocek said, adding that the money from attacks is being funnelled directly into the North Korea’s weapons programs.
“A key component of the attack is the use of a signed executable disguised as a job description,” according to Bocek.
Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the “keys to the castle, securing communication between machines of all kinds, from servers to applications to Kubernetes clusters and microservices,” Bocek said.
“We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks,” according to Bocek citing incidents such as the 2014 Sony Hack and the $101 million Bangladesh Bank cyber hack via the SWIFT banking system.
These attacks have demonstrated North Korea’s long-standing interest in the malicious use of machine identities, which is a blind spot for many organizations. The Lazarus group understands machine identity and exploits it effectively, Bocek said.