Operation In(ter)ception continues Lazarus’ macOS malware activity, using decoy job postings for Coinbase and Crypto.com to lure victims and install a multi-stage payload. The campaign features persistence via a LaunchAgent, staged download components, and hardcoded C2 domains, with published indicators of compromise to aid defenders. #Lazarus #OperationInterception
Keypoints
- Lazarus uses macOS-themed variants of Operation In(ter)ception, extending its crypto-targeting campaign to macOS users and employees.
- Decoy documents advertise crypto jobs (Coinbase first, then Crypto.com) to entice targets.
- The first stage creates a WifiPreference folder and installs a LaunchAgent persistence mechanism (com.wifianalyticsagent.plist).
- The LaunchAgent uses the label iTunes_trush and hardcodes target paths, indicating rigid, prebuilt variants.
- Second-stage payloads act as downloaders to fetch a third-stage binary (wifianalyticsagent) from a C2 server.
- Binaries are signed with ad hoc signatures to bypass Gatekeeper, signaling shortcuts to avoid Mac security checks.
- Hardcoded C2 domains (e.g., market.contradecapital[.]com) illustrate explicit command-and-control infrastructure.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Decoy PDF documents advertising positions on crypto exchange Coinbase were discovered. “…Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends at ESET back in August 2022…”
- [T1543.003] Launch Agent – The first stage creates a folder in the user’s Library called “WifiPreference” and drops a persistence agent at ~/Library/LaunchAgents/com.wifianalyticsagent.plist. “…The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush…”
- [T1116] Code Signing – The binaries are universal Mach-O and signed with an ad hoc signature to bypass Gatekeeper. “signed with an ad hoc signature, meaning that they will pass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity.”
- [T1105] Ingress Tool Transfer – The second-stage functions as a downloader from a C2 server. “…This functions as a downloader from a C2 server.”
- [T1071.001] Web Protocols – The downloader communicates with a hardcoded C2 domain (market.contradecapital[.]com). “Hardcoded C2 in the third-stage downloader” and “market.contradecapital[.]com”
Indicators of Compromise
- [SHA-1] a57684cc460d4fc202b8a33870630414b3bbfafc – 1st Stage, xxx
- [SHA-1] 65b7091af6279cf0e426a7b9bdc4591679420380 – Crypto.com_Job_Opportunities_2022_confidential.pdf
- [SHA-1] 1f0f9020f72aa5a38a89ffd6cd000ed8a2b49edc – 2nd Stage, WifiAnalyticsServ
- [SHA-1] 1b32f332e7fc91252181f0626da05ae989095d71 – 3rd stage, wifianalyticsagent
- [Domain] market.contradecapital[.]com – C2 domain used by the downloader
- [File Path] ~/Library/LaunchAgents/com.wifianalyticsagent.plist – Persistence mechanism
- [File Path] ~/Library/WifiPreference/WifiAnalyticsServ.app – 2nd-stage app
- [File Path] ~/Library/WifiPreference/WifiCloudWidget – 3rd-stage payload location
- [File Path] ~/Library/WifiPreference/wifianalyticsagent – 3rd-stage binary
- [File Path] Crypto.com_Job_Opportunities_2022_ confidential.pdf – Decoy document
- [Label/Bundles] iTunes_trush, finder.fonts.extractor – Identifiers observed in the malware