North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets.
Last week, SentinelOne researchers discovered a decoy documents advertising positions for the popular cryptocurrency exchange Crypto.com.
The SentinelOne investigation is based on a previous one conducted by ESET in August, when Lazarus APT has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.
ESET published a series of tweets detailing the attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.
Lazarus APT has used this kind of lures in multiple campaigns since at least 2020, including a campaign dubbed ‘Operation Dream Job’.
The researchers have no evidence on how the malware is being distributed, but earlier reports on Operation In(ter)ception suggested that the threat actors initially established a contact with the victims via targeted messaging on LinkedIn.
