North Korean Hackers Use Signed macOS Malware To Target IT Job Seekers (bleepingcomputer.com) 14
An anonymous reader quotes a report from Bleeping Computer: North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector. The name of the false document was "Coinbase_online_careers_2022_07." When launched, it displays the decoy PDF above and loads a malicious DLL that ultimately allows the threat actor to send commands to the infected device. Security researchers at cybersecurity company ESET found that the hackers also had malware ready for macOS systems. They said that the malicious file is compiled for Macs with both Intel and Apple silicon, meaning that users of both older and newer models were targeted. In a thread on Twitter, they note that the malware drops three files [...].
ESET linked the recent macOS malware to Operation In(ter)ception, a Lazarus campaign that targeted high-profile aerospace and military organizations in a similar way. Looking at the macOS malware, the researchers noticed that it was signed on July 21 (as per the timestamp value) with a certificate issued in February to a developer using the name Shankey Nohria and team identifier 264HFWQH63. On August 12, the certificate had not been revoked by Apple. However, the malicious application was not notarized -- an automatic process that Apple uses to check software for malicious components. Compared to the previous macOS malware attributed to the Lazarus group of hackers, ESET researchers observed that the downloader component connects to a different command and control (C2) server, which was no longer responding at the time of the analysis.
ESET linked the recent macOS malware to Operation In(ter)ception, a Lazarus campaign that targeted high-profile aerospace and military organizations in a similar way. Looking at the macOS malware, the researchers noticed that it was signed on July 21 (as per the timestamp value) with a certificate issued in February to a developer using the name Shankey Nohria and team identifier 264HFWQH63. On August 12, the certificate had not been revoked by Apple. However, the malicious application was not notarized -- an automatic process that Apple uses to check software for malicious components. Compared to the previous macOS malware attributed to the Lazarus group of hackers, ESET researchers observed that the downloader component connects to a different command and control (C2) server, which was no longer responding at the time of the analysis.
DLL's don't exist on MacOS, they use shared librar (Score:3)
DLL's don't exist on MacOS, they use shared libraries (.so), unless it's a .NET framework on MacOS.
Re:DLL's don't exist on MacOS, they use shared lib (Score:4, Informative)
Yep, terrible editing as usual. The original article is explaining how the Windows version of the malware works, but the Slashdot summary omits a couple of paragraphs, making it look like it's describing the Mac version.
Re: (Score:2)
OP is correct but for the novice reader; DLL and .so are essentially the same thing. Windows just like to rename things differently.
See explanation here which seems pretty accurate to me:
https://stackoverflow.com/ques... [stackoverflow.com]
Re: (Score:3)
There's more than a name difference. DLL is the same as a PE file (normally EXE) with the main difference being that they don't have an entry/bootstrap point defined. The binary blob objects in a DLL can be loaded into memory and called willy nilly, whereas a shared object has to be loaded along with the rest of the program that is linked to it, and is therefore always in the address space no matter what.
Though in practice, nobody really does that anymore, and it's getting increasingly common to statically
Re: (Score:2)
>Though in practice, nobody really does that anymore, and it's getting increasingly common to statically link everything, making both concepts increasingly irrelevant.
And I, for one, am thrilled about this particular fad. There's a use case for DLLs, but it's small.
I wish VS would default to static builds (so that people would be more likely to do it that way), but MS will die on that hill.
Re: (Score:2)
The API, behavior and mechanisms are much different between DLLs and .so's.
totally fine with support for Ukraine (Score:2)
Putin was emboldened by his easy theft of Crimea. Thought NATO was sufficiently divided he could roll into Ukraine and take it over. Whoops!
PDF was first clue. (Score:2)
Re: (Score:2)
Given the confusing and inconsistent reliability of web forms and Word documents, it's commonplace for technology workplaces to send documents in PDF for accessibility and searchability.
Not a PDF (Score:3)
Just to clarify, because summary makes it ambiguous. it was not a PDF document, but an executable (.exe or macOS app file) which happens to use a PDF icon so victims would click it. It was signed with a stolen certificate to pass macOS verifications. It would not work in linux because an email attachment would not have the +x execution privilege.
"IT Job Seekers" (Score:2)