North Korean Threat Group Lazarus Up To Old Tricks With New Malware Attack Targeting Mac OS Systems

The news broke that ESET researchers have identified a new cyberespionage campaign by North Korean APT group Lazarus, targeting Apple and Intel chip systems via a fake engineering job post supposedly from Coinbase. Identified in a series of tweets, the job description claims to be seeking an engineering manager for product security, before dropping a signed executable.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Kevin Bocek
Kevin Bocek , VP Security Strategy & Threat Intelligence
InfoSec Expert
August 18, 2022 2:26 pm

The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals. Our research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence. The money from such attacks is being funnelled directly into the DPRK’s weapons programmes, and any intel gathered could also be used against its enemies.

A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long-standing interest in the malicious use of machine identities. This attack makes use of a similar technique so could deal similar damage as Lazarus understands machine identity and exploits it so effectively, whilst it’s still such a blind spot for many organisations.

Last edited 1 month ago by Kevin Bocek
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x