New Delhi: The notorious hacking group Lazarus, based in North Korea, is at it again, targeting Apple Mac users with fake job vacancies emails containing malicious files. Researchers at cybersecurity firm ESET have posted a screenshot on Twitter that shows fake job listings from leading crypto exchange Coinbase by Lazarus, known for spreading the WannaCry ransomware around the world in 2017. The fake job listing was for an engineering manager, product security at Coinbase. Cryptocurrency Hack: Hackers Steal $100 Million in Digital Tokens from Harmony Blockchain Bridge.
“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is a copy of Operation by Lazarus for Mac,” ESET researchers tweeted.
The fake job emails have attachments with malicious files that can compromise Intel and Apple Mac computers.
“The malware is compiled for both Intel and Apple Silicon. It deletes three files: a fraudulent PDF document, a kit and a downloader,” the researchers warned.
The Mac malware campaign is new and is not part of previous Lazarus campaigns. This time, “the package is signed on July 21st (according to the timestamp) using a certificate issued in February 2022 to a developer named Shenky Noria. The application was not notarized, and Apple revoked the certificate on August 12,” the researchers noted.
Last month, cybersecurity researchers linked Lazarus to the theft of $100 million worth of digital tokens from Harmony, the crypto startup behind the Horizon Blockchain Bridge.
According to London-based blockchain analysis provider Elliptic, Lazarus Group has committed several major cryptocurrency thefts totaling more than $2 billion and has recently turned its attention to decentralized finance (DeFi) services such as inter-chain bridges. The same group is believed to be behind the $540 million Ronin Bridge hack.
(The above story first appeared on LatestLY on 22 Aug 2022 at 11:55 IST. For more news and updates on politics, world, sports, entertainment and lifestyle, visit our website Latestly.com).