North Korean Hackers Target Apple-Using Job Seekers

Jamie Kavanagh
Jamie Kavanagh
August 29th, 2022

The Lazarus Group, attributed to North Korea, has been seen targeting Apple users. Specifically, Apple users with Mac that use either M1 or Intel chipsets.

The attacks are believed to be related to Operation In(ter)caption, a long running program initially designed to trick military staff into downloading infected files for job offers.

The security firm ESET observed the attack being used and captured a file it uses as part of the attack.

"Malware is compiled for both Intel and Apple Silicon," the company said in a series of tweets. "It drops three files: a decoy PDF document 'Coinbase_online_careers_2022_07.pdf', a bundle ',' and a downloader 'safarifontagent.'"

The Malware

The PDF contains a Mach-0 executable that will download the FinderFontsUpdater to an infected machine. That, in turn, will download safarifontsagent, which is another downloader.

The malware doesn’t work in isolation though. It’s part of a complex social engineering scam that attempts to fool employees into applying for fake jobs and downloading the career PDF.

It has been seen a few times over the past couple of years. While this particular variant targets Apple users, there’s a version that targets Windows users too.

It’s believed the malware is what caused the Axie Infinity hack earlier this year - a hack that reportedly cost $625 million.

This isn’t the only scam attributed to The Lazarus Group.

They have been linked with a number of scams, from ransomware to hacking. Targets include governments, authorities and business, with the motivation mainly being about money.

While not official, it is widely believed The Lazarus Group are part of the North Korean government’s offensive cyber capability. It seems the intent is to raise much needed capital as well as be as disruptive as possible.

If you’re looking for work, stick to legitimate career websites and be aware of anyone who contacts you out of the blue about a job. That’s especially true if they use a social network like Facebook or LinkedIn.

© 2023 Redact - All rights reserved