Consistent with observations in the earlier campaign, this PDF is created with MS Word 2016, PDF version 1.5. The PDF is a 26 page dump of all vacancies at.
The WifiPreference folder contains several other items, including the decoy document, _Job_Opportunities_2022_confidential.pdf. The startDaemon() function hardcodes the persistence agent details Analysis of the binary shows that these details are simply hardcoded in the startDaemon() function at compile time, and as such there are likely to be further variants extant or forthcoming. The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush, but changes the target executable location and the agent file name. The first stage creates a folder in the user’s Library called “WifiPreference” and drops a persistence agent at ~/Library/LaunchAgents/, targeting an executable in the WifiPreferences folder called wifianalyticsagent. The first stage dropper is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase variant. Decoy document advertising positions on First Stage and PersistenceĪlthough it is not clear at this stage how the malware is being distributed, earlier reports suggested that threat actors were attracting victims via targeted messaging on LinkedIn. Last week, SentinelOne observed variants of the malware using new lures for vacancies at. Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends at ESET back in August 2022, with indications that the campaign dated back at least a year. While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic. North-Korean linked APT threat actor Lazarus has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed ‘Operation Dream Job’. In this post, we review the details of this ongoing campaign and publish the latest indicators of compromise. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange. Back in August, researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware.
0 kommentar(er)
