Pierluigi Paganini
August 17, 2022
ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents.
ESET published a series of tweets detailing the recent attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil
— ESET Research (@ESETresearch) August 16, 2022. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT
Malware is compiled for both Intel and Apple Silicon, it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. The discovery is similar to other attacks detected by ESET researches in May.
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore
— ESET Research (@ESETresearch) May 4, 2022. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8 pic.twitter.com/DV7peRHdnJ
The bundle employed in the attack is signed July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63.
“The application is not notarized and Apple has revoked the certificate on August 12.” states ESET.
Experts noticed that unlike May attacks, the downloader safarifontagent connects to a different C&C server (https://concrecapital[.]com/%user%.jpg). The C2 server did not respond at the time ESET experts analyzed this malware.
The researcher @h2jazi also discovered a Windows counterpart of this malware on August 4, it was dropping the exact same decoy.
#Lazarus #APT:
— Jazi (@h2jazi) August 4, 2022
0dab8ad32f7ed4703b9217837c91cca7
Coinbase_online_careers_2022_07.exe
The decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.
Next stage: (gone!)
https://docs.mktrending[.]com/marrketend.pnghttps://t.co/XETUeA5F6B pic.twitter.com/NTFUJ9AiCO
ESET also shared Indicators of compromise (IoCs) for this threat.
IoCs:
— ESET Research (@ESETresearch) August 16, 2022
FE336A032B564EEF07AFB2F8A478B0E0A37D9A1A6C4C1E7CD01E404CC5DD2853 (Extractor)
798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 (FinderFontsUpdater)
49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 (safarifontagent)
… 6/7
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, North Korea)
[adrotate banner=”5″]
[adrotate banner=”13″]
