Shares tag: Inception • Shares 1 IOC
Lazarus APT’s Operation Interception Uses Signed Binary
2022-12-20 • K7Security Labs •
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/
K7 Labs analyzed a Lazarus Operation In(ter)ception macOS sample that used a revoked signed fat binary to target users with a Coinbase job-vacancy lure. The malware drops a Coinbase-themed PDF, FinderFontsUpdater.app, a downloader named safarifontsagent, and a zero-byte Finder file under ~/Library/Fonts, then persists via a LaunchAgent named iTunes_trush. The safarifontsagent component gathers host details such as macOS version and CPU information and appends them to requests to the defanged C2 hxxps(:)//concrecapital(.)com. The C2 was unavailable during analysis, but K7 identified the parent malware hash 4a7a1626b6baf8c917945b8fc414c8b9 and documented the staged download flow used to retrieve the next payload.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | concrecapital.com | 2022-09-26 | 2023-10-04 |
| HASH | 4a7a1626b6baf8c917945b8fc414c8b9 | 2022-12-20 | 2022-12-20 |
| URL | https://concrecapital.com | 2022-12-20 | 2022-12-20 |
Related Reports
2023-01-05 •
60% Match
#Trend
#DreamJob
#Inception
#MagicRAT
#ThreatNeedle
#Sharpshooter
#T1082
#T1041
#T1071.001
#T1046
#T1112
#T1083
#T1057
#T1547.001
#T1053.005
#T1036.005
#T1003
#T1105
#T1055
#T1220
#T1049
#T1016
#T1074.001
#T1218.011
#T1218.010
#T1047
#T1025
#T1033
#T1543.003
#T1012
#T1007
#T1572
#T1552.002
#T1003.002
#T1048.001
Shares tag: Inception • Published within a month
2023-10-04 •
53% Match
#DreamJob
#Inception
#MagicLine4NX
#3CXDesktopApp
#CrossWebEX
#VeraPort
#DangerousPassword
Shares tag: Inception • Shares 1 IOC
Shares tag: Inception
Shares tag: Inception
2024-04-10 •
40% Match
#Inception
Shares tag: Inception