Don’t be fooled by crypto job scams!

Read Time:1 Minute

-Lazarus, a North-Korean linked APT threat actor, has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed Operation Dream Job.

-In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com.

-The first stage dropper is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase variant.

-The first stage creates a folder in the users Library called WifiPreference and drops a persistence agent at ~/Library/LaunchAgents/com.wifianalyticsagent.plist , targeting an executable in the WifiPreferences folder called wifianalyticsagent .

-The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush , but changes the target executable location and the agent file name.

-The WifiPreference folder contains several other items, including the decoy document, Crypto.com_Job_Opportunities_2022_confidential.pdf.

-The PDF is a 26 page dump of all vacancies at Crypto.com.

-The first stage malware opens the PDF decoy document and wipes the Terminals current savedState.

-The second stage in the Crypto.com variant is a bare-bones application bundle named WifiAnalyticsServ.app; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called FinderFontsUpdater.app.

-The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent . This functions as a downloader from a C2 server.

-The payload is written to the WifiPreference folder as WifiCloudWidget .

-The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets.

-The binaries are all universal Mach-Os capable of running on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will pass Apples Gatekeeper checks despite not being associated with a recognized developer identity.

From the Front Lines Lazarus Operation Interception Targets macOS Users Dreaming of Jobs in Crypto 3 Don't be fooled by crypto job scams!

Leave a Reply

%d bloggers like this: