North Korean hacking group Lazarus is on the prowl again and it is now phishing Mac users with fake job posts that contain malicious files. The hacking was discovered by security researchers at ESET who mentioned that the Lazarus group's latest phishing attempts make use of fake phone calls and advertise fake Coinbase Inc developer jobs.


"#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher," ESET Research recently tweeted.






According to the security researchers at ESET, the hacking link that is being circulated is compiled for both Intel and Apple Silicon. "Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app  and a downloader safarifontagent. It is similar to #ESETresearch discovery in May."


It should be noted that the phishing campaign has so far been successfully blocked, however, the result could have been far worse. According to Kevin Bocek, the Vice President of Security Strategy and Threat Intelligence at Venafi Inc, was quoted as saying by publication Silicone Angle: “This attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals."


“A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.”


To recall, North Korean Lazarus Group is infamous for having an extensive track record of targeting potential victims. Lazarus is best known for being behind the WannaCry ransomware spread in 2017 that struck more than 150 countries. The Lazarus Group has regularly popped up since the WannaCry hack of 2017.