The ESET researchers noted that the C&C server did not respond at the time they attempted to analyze the threat. Other differences in the new campaign include a previously known Lazarus downloader “safarifontagent” connecting to a different command and control server. That said, a certificate used to sign the malicious files was issued in February this year to a developer known as “Shankey Nohria.”
#Lazarus group pdf
The Mac malware drops three files: a decoy PDF document, a fake font updater app and a downloader called “safarifontagent.” The bundle of malicious files is timestamped July 21, indicating that the campaign is new, not part of previous Lazarus campaigns. The fake job emails include an attachment containing malicious files that can compromise both Intel and Apple chip-powered Mac computers. 16 by security researchers at ESET s.r.o on Twitter, the new Lazarus campaign involves phony emails impersonating Coinbase Inc. Mac users via fake job offers.ĭetailed Aug. The Lazarus group understands machine identity and exploits it effectively, Bocek said.Infamous North Korean hacking group Lazarus is attempting to target Apple Inc. These attacks have demonstrated North Korea’s long-standing interest in the malicious use of machine identities, which is a blind spot for many organizations.
#Lazarus group software
“We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks,” according to Bocek citing incidents such as the 2014 Sony Hack and the $101 million Bangladesh Bank cyber hack via the SWIFT banking system. “A key component of the attack is the use of a signed executable disguised as a job description,” according to Bocek.Ĭode signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the “keys to the castle, securing communication between machines of all kinds, from servers to applications to Kubernetes clusters and microservices,” Bocek said. Longstanding interest in malicious use of machine identities Venafi research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence, Bocek said, adding that the money from attacks is being funnelled directly into the North Korea’s weapons programs. “The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” said Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi.
One of the primary goals of the operation has been espionage, EST said in a blog post in 2020 when it first uncovered “Operation In(ter)caption.” The APT group had been conducting targeted attacks against aerospace and military companies in Europe and the Middle East in the last few months of 2019, ESET said at that time. Lazarus had made a name for itself with cyber-espionage One of its highest-profile heists was the theft of over $600 million worth of cryptocurrency from the gaming-centric Ronin Network, an Ethereum-compatible blockchain.Īnd Lazarus has been linked to the WannaCry ransomware in May 2017 that impacted hospitals, governments and businesses around the world, resulting in an estimated $4 billion in losses, among other incidents (see below).
The Lazarus cyber collective has been operating for more than 10 years “with the North Korean government’s blessing,” as noted by Forbes. As a result, Macs with macOS Catalina v10.15 and later are protected, as long as the user has basic security awareness, Peter Kalnai, a senior malware researcher for ESET, told the cybersecurity publication. Late last week, Apple revoked the certificate that enabled the malware to execute after ESET alerted the company to the campaign, according to Dark Reading.
#Lazarus group for mac
To get to their targets, the attackers used social engineering via LinkedIn “hiding behind the ruse of attractive, but bogus, job offers,” ESET said, adding that it was likely part of the Lazarus campaign for Mac and is similar to research done by ESET in May. Compiled for M1 processor-based Macs and Intel silicon, the malware was uploaded to VirusTotal from Brazil, ESET said.
0 kommentar(er)
