Security experts from SentinelOne have recently discovered a new variant of the Operation In(ter)ception campaign that is targeting macOS users with malware through job vacancy lures at Crypto.com. This campaign, previously linked to the Lazarus Group, was first identified by ESET and Malwarebytes in August, with the original attacks focusing on Coinbase.
The latest attacks, using decoy PDF documents advertising job positions at Crypto.com, indicate a shift towards targeting employees of cryptocurrency exchange platforms. While the original campaign targeted Windows users, this new variant is specifically designed to infect macOS systems.
At this time, the method of malware distribution for these attacks is still unclear. However, previous reports have suggested that threat actors may be using private messaging on LinkedIn to target victims. The malware itself consists of a Mach-O binary first stage dropper, which creates a new folder in the user’s library and drops a persistence agent. The second stage then extracts and executes a third-stage binary, acting as a downloader from a command-and-control (C2) server.
Interestingly, the threat actors have not attempted to encrypt or obfuscate any of the binaries, potentially indicating a lack of concern for detection or a short-term campaign strategy. SentinelOne believes that Operation In(ter)ception is expanding its targets from cryptocurrency exchange platform users to their employees, likely in an attempt to conduct both espionage and cryptocurrency theft.
This discovery comes shortly after Cisco Talos revealed details of a Lazarus Group hacking campaign targeting energy providers earlier this year. To assist organizations in identifying potential compromises, SentinelOne has provided a list of indicators of compromise (IoC) in their advisory.
As cybersecurity threats continue to evolve, it is crucial for organizations and individuals to remain vigilant and implement robust security measures to protect against malicious attacks. Stay informed and stay safe in the ever-changing landscape of cybersecurity threats.