North Korean state-sponsored APT group Lazarus
has launched a cyberespionage campaign leveraging fraudulent Coinbase job postings in an effort to infect Apple- and Intel-based systems with macOS malware, according to Threatpost
Cryptocurrency trading platform Coinbase has been impersonated by Lazarus in postings offering job opportunities for software engineers specializing in product security, which in fact conceal a Mac executable, noted ESET Research Labs researchers.
"Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http[://]FinderFontsUpdater[.]app and a downloader safarifontagen," said ESET in a tweet.
Researchers found similarities between the newly identified malware and another sample with a signed executable spoofing a job description, which was identified by ESET in May. However, the malware strains had different command-and-control infrastructures.
Despite being sanctioned by the U.S. government in 2018, Lazarus has continued attacks against various industries around the world, having impersonated General Motors and Boeing in a similar campaign last year.