North Korea’s State-Run “Lazarus” Cybercrime Org Victimizes Coinbase Job-Hunters with Advanced Phishing Attack

The News: North Korea’s state-backed cybercrime workforce (aka Lazarus) just can’t quit its pet-approach to phishing attacks; Posting bogus opportunities on job boards – this time targeting would-be employees for the crypto giant Coinbase. For their part, Apple, whose M1 chips were vulnerable to the attacks, took swift action to revoke the certificate which enabled the malware to execute.

Cybersecurity software producer ESET first sounded the alarm on Twitter after their research arm learned that a Mac executable disguised as a job opportunity had been uploaded to VirusTotal. Read more about the threat from DarkReading.

With Coinbase Scam, Lazarus Takes Aim at Tech Savvy Job Seekers

Read the full thread on Twitter

Analyst Take: ESET’s research arm has been closely watching the Pariah state’s Operation In(ter)ception since early 2020 when it found evidence of attacks against military and aerospace companies. At the time they produced an extensive white paper on the topic and concluded that North Korea’s main goal for the malware was espionage. The group was already placing a file titled “Interception.dll” to draw in victims with completely fabricated, though convincing, job opportunities via LinkedIn and other popular job-search sites.

According to ESET’s Twitter thread, the newest iteration of Operation In(ter)ception malware can penetrate both Intel and Mac Silicon. The cybersecurity giant warned of three files left by the malware: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app, and a downloader safarifontagent. The Twitter thread goes on to break down each element of the program and how they work together to gain access and information.

It may seem ironic that folks who are seeking positions at a large tech company would be so easily victimized by a phishing expedition, but there’s a method to the madness.

Apple Closed a Major Loophole OSX Users but the Threat Remains Active

In order to hoodwink relatively tech-savvy job seekers, it’s likely that the attackers were in direct contact with their victims, Peter Kalnai, a senior malware researcher for ESET, told DarkReading. “The victim was probably instructed to click whatever popup windows showed up in order to see the ‘dream job’ offer from Coinbase.”

“The certificate has been revoked, so it’s not possible to execute it until the user adds it to allowed applications,” continued Kalnai, stating that Mac users running OSX Catalina or later now had some level of protection from the malware’s current iteration. But before you breathe too easy, consider Kalnai’s description of the advanced nature of Lazarus operations: “This remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution.”

Government Cybersecurity Experts Keep Cautious Eye on Lazarus’ Rapid Growth

Kalnai isn’t alone in his concern. Former White House Senior Director of Cybersecurity Policy, Andrew Grotto, who held the role in both the Obama and Trump administrations and now directs Stanford’s Center for International Security and Cooperation also escalated the alarm, warning that North Korea’s ability to execute high-level cyberattacks had very quickly gone from an “aspiring antagonist” to successfully positioning itself as “a [if not the] top, cyber operators when it comes to high-end potential crimes.”

Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.

Other insights from Futurum Research:

Microsoft Issues Warning on Large Scale Phishing-as-a-Service Operation 

TeleSign Silent Verification Service Launches, Designed to Reduce Multi-Factor Authentication Headaches for Mobile Users

Google’s Cybersecurity Efforts to Include Mobile Devices as Security Keys

Image Credit: Phys.org

The original version of this article was first published on Futurum Research.