Published in News

North Koreans use macOS to lure fanboys from the financial sector

by on18 August 2022

Because macOS is so secure

North Korean hackers have been making a killing using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector.

The name of the false document was "Coinbase_online_careers_2022_07." When launched, it displays the decoy PDF above and loads a malicious DLL that ultimately allows the threat actor to send commands to the infected device.

Security researchers at cybersecurity company ESET found that the hackers also had malware ready for macOS systems. They said that the malicious file is compiled for Macs with Apple silicon, meaning that users of both older and newer models were targeted. 

ESET linked the recent macOS malware to Operation In(ter)ception, a Lazarus campaign that targeted high-profile aerospace and military organisations.

Looking at the macOS malware, the researchers noticed that it was signed on July 21 with a certificate issued in February to a developer using the name Shankey Nohria and team identifier 264HFWQH63.

Apple did not bother to revoke the certificate because it is so on the ball with security issues, but fortunately the malicious application was not notarised because that was an automatic process and did not depend on the finest fines that Apple has to offer. So the certificate was automatically revoked on August 12.


Last modified on 18 August 2022
Rate this item
(3 votes)

Read more about: