North Korean Threat Group Lazarus Up To Old Tricks With New Malware Attack Targeting Mac OS Systems

The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals. Our research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence. The money from such attacks is being funnelled directly into the DPRK’s weapons programmes, and any intel gathered could also be used against its enemies.

A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long-standing interest in the malicious use of machine identities. This attack makes use of a similar technique so could deal similar damage as Lazarus understands machine identity and exploits it so effectively, whilst it’s still such a blind spot for many organisations.