North Korea Cyber Threat Group ‘Lazarus’ Targets M1 Mac with Signed Executables

M1 MacBook and Intel

The malware, Interception.dll, is designed to execute by loading three files: a decoy PDF document and two executables FinderFontsUpdater.app and safarifontagent, according to a series of tweets by ESET Research.

Compiled for M1 processor-based Macs and Intel silicon, the malware was uploaded to VirusTotal from Brazil, ESET said.

To get to their targets, the attackers used social engineering via LinkedIn “hiding behind the ruse of attractive, but bogus, job offers,” ESET said, adding that it was likely part of the Lazarus campaign for Mac and is similar to research done by ESET in May.

Late last week, Apple revoked the certificate that enabled the malware to execute after ESET alerted the company to the campaign, according to Dark Reading. As a result, Macs with macOS Catalina v10.15 and later are protected, as long as the user has basic security awareness, Peter Kalnai, a senior malware researcher for ESET, told the cybersecurity publication.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Long History

The Lazarus cyber collective has been operating for more than 10 years “with the North Korean government’s blessing,” as noted by Forbes. One of its highest-profile heists was the theft of over $600 million worth of cryptocurrency from the gaming-centric Ronin Network, an Ethereum-compatible blockchain.

And Lazarus has been linked to the WannaCry ransomware in May 2017 that impacted hospitals, governments and businesses around the world, resulting in an estimated $4 billion in losses, among other incidents (see below).

Lazarus had made a name for itself with cyber-espionage

One of the primary goals of the operation has been espionage, EST said in a blog post in 2020 when it first uncovered “Operation In(ter)caption.” The APT group had been conducting targeted attacks against aerospace and military companies in Europe and the Middle East in the last few months of 2019, ESET said at that time.

“The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” said Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi.

Venafi research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence, Bocek said, adding that the money from attacks is being funnelled directly into the North Korea’s weapons programs.

Longstanding interest in malicious use of machine identities

 “A key component of the attack is the use of a signed executable disguised as a job description,” according to Bocek.  

Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the “keys to the castle, securing communication between machines of all kinds, from servers to applications to Kubernetes clusters and microservices,” Bocek said.

“We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks,” according to Bocek citing incidents such as the 2014 Sony Hack and the $101 million Bangladesh Bank cyber hack via the SWIFT banking system.

These attacks have demonstrated North Korea’s long-standing interest in the malicious use of machine identities, which is a blind spot for many organizations.  The Lazarus group understands machine identity and exploits it effectively, Bocek said.

Related Posts

• Code Signing Risks and Containers: What You Need to Know
• Code Signing Risks: Hackers Are Getting Better at Stealing Code Signing Machine Identities
• New Study on Code Signing Certificates as Supply Chain Attack Targets

Malware hiding a signed Mac executable disguised as a job description for Coinbase is another example of an attack by Lazarus, a North Korean Advanced Persistent Threat (APT) group. Code signing certificates has become the modus operandi for many North Korean APT groups.