Lazarus APT’s Operation Interception Uses Signed Binary
Contents
Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across one such sample and this time they are baiting users with job vacancies at Coinbase while silently pushing a signed binary in the background and doing their malicious activity. This is an instance of Operation In(ter)ception by Lazarus.
This malware under consideration is a fat binary containing x86_64 and ARM64 architecture compiled executable that can be executed in both Intel & Apple silicon machines.
The malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of now.
When executed, it drops 4 files in the folder ~/Library/Fonts (The ~ character stands for the user’s home directory).
1. A PDF document named Coinbase_online_careers_2022_07.pdf
2. A package bundle named FinderFontsUpdater.app which contains a fat binary
3. A downloader agent which connects to the C2 named safarifontsagent. This is also a …
This malware under consideration is a fat binary containing x86_64 and ARM64 architecture compiled executable that can be executed in both Intel & Apple silicon machines.
The malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of now.
When executed, it drops 4 files in the folder ~/Library/Fonts (The ~ character stands for the user’s home directory).
1. A PDF document named Coinbase_online_careers_2022_07.pdf
2. A package bundle named FinderFontsUpdater.app which contains a fat binary
3. A downloader agent which connects to the C2 named safarifontsagent. This is also a …
IoC
4a7a1626b6baf8c917945b8fc414c8b9