New Delhi: North Korea-based notorious Lazarus hacking group is back in action, targeting Apple Mac users with fake job emails that contain malicious files. Researchers at cyber-security firm ESET posted a screenshot on Twitter that showed fake job listings from leading crypto exchange Coinbase by Lazarus, famous for spreading the WannaCry ransomware globally in 2017. The fake job listing was for an engineering manager, product security, at Coinbase. Cryptocurrency Hack: Hackers Steal $100 Million in Digital Tokens From Harmony Blockchain Bridge.
"A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation by Lazarus for Mac," the ESET researchers posted in a tweet.
The fake job emails have an attachment containing malicious files that can compromise both Intel and Apple chip-powered Mac computers.
"Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document, a bundle and a downloader," warned researchers.
The Mac malware campaign is new and not part of previous Lazarus campaigns. This time, "the bundle is signed July 21 (according to the timestamp) using a certificate issued in February 2022 to a developer named Shankey Nohria. The application is not notarised and Apple has revoked the certificate on August 12," the researchers noted.
Last month, cyber-security researchers linked Lazarus with stealing $100 million worth digital tokens from Harmony, the crypto startup behind Horizon Blockchain Bridge.
The Lazarus Group has perpetrated several large cryptocurrency thefts totalling over $2 billion, and has recently turned its attention to Decentralised Finance (DeFi) services such as cross-chain bridges, according to London-based blockchain analysis provider Elliptic. The same group is believed to be behind the $540 million hack of Ronin Bridge.
(The above story first appeared on LatestLY on Aug 22, 2022 11:55 AM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).