That Coinbase job offer could actually be North Korean hackers

Hands typing on a keyboard surrounded by security icons
(Image credit: Shutterstock)

Experts have warned that the dangerous Lazarus group is now targeting Web3 developers on Mac devices. 

The North Korean state-sponsored threat actor recently went after blockchain developers with fake lucrative job offers that turned out to be nothing more than infostealers and malware

While these attacks were limited to Windows users at first, cybersecurity researchers from ESET have now discovered they are expanding into Apple territory, too. 

Intel and Apple chips attacked

The campaign is pretty much the same for both platforms. The group would impersonate Coinbase, one of the largest and most popular cryptocurrency exchanges in the world, and reach out to blockchain developers via LinkedIn and other platforms with a job offer. After a little back-and-forth, and a few rounds of “interviews”, the attacker would serve the victim what seems to be a .pdf file with the job position’s details.

The file’s name is Coinbase_online_careers_2022_07, and while it looks like a .pdf (icon and all), it is actually a malicious DLL that allows Lazarus to send commands to the infected endpoint. The file is compiled for Macs with both Intel and Apple processors, the researchers further discovered, suggesting that the group is after both older, and newer device models. 

Detailing the attack via Twitter, the researchers said the malware drops three files: the bundle FinderFontsUpdater.app, the downloader safarifontagent, and a decoy PDF called “Coinbase_online_careers_2022_07.pdf”. 

Lazarus Group is no stranger to fake job offer attacks, and it’s conducted these attacks in the past with much success. In fact, one of the largest cryptocurrency heists in history, the $600+ million-heavy attack on the Ronin bridge, was done in that exact manner. 

After reaching out to a software engineer and luring him into downloading the fake .pdf file, the attackers from Lazarus found their way into the system, obtained the necessary credentials, and siphoned out millions in cryptocurrency tokens.

In this case, however, the malware was signed on July 21, with a certificate issued to a developer going by the name Shankey Nohria. The team identifier was 264HFWQH63. While the certificate had not been revoked on August 12 when it was checked, BleepingComputer reports, the researchers did find that Apple didn’t scan it for malicious components. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.