Security researchers at SentinelOne have uncovered a variant of the Operation In(ter)ception campaign using lures for job vacancies at cryptocurrency exchange platform Crypto.com to infect macOS users with malware.
According to an advisory published on Monday, the new attacks would represent a further instance of a campaign spotted by ESET and Malwarebytes in August and attributed to North Korea–linked advanced persistent threat (APT) Lazarus Group.
The main difference would be that the original campaign targeted Coinbase instead of Crypto.com.
“While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic,” reads the advisory.
“Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends at ESET back in August 2022, with indications that the campaign dated back at least a year. Last week, SentinelOne observed variants of the malware using new lures for vacancies at Crypto.com.”
The security company said that, at the time of writing, it is not clear yet how the malware is being distributed. However, earlier reports suggested that threat actors targeted victims via private messaging on LinkedIn.
From a technical standpoint, SentinelOne said the first stage dropper is a Mach–O binary that is a similar template to the binary used in the Coinbase variant. The first stage then creates a new folder in the user’s library and drops a persistence agent.
The primary purpose of the second stage is to extract and execute the third–stage binary, which in turn acts as a downloader from a C2 server.
“The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short–term campaigns and/or little fear of detection by their targets,” reads the advisory.
More generally, SentinelOne said Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in “what may be a combined effort to conduct both espionage and cryptocurrency theft.”
A list of indicators of compromise (IoC) is available in the original text of the advisory. Its publication comes weeks after Cisco Talos unveiled new details regarding a Lazarus hacking campaign the group conducted against several energy providers between February and July 2022.