{ "id": "a1ebc089-b5fb-4319-8105-aeddddcaf87d", "created_at": "2026-04-06T00:10:55.021509Z", "updated_at": "2026-04-10T13:12:38.224431Z", "deleted_at": null, "sha1_hash": "fd77be9968c1e62d9636effa19d9d80a97961134", "title": "Lazarus APT’s Operation Interception Uses Signed Binary", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1373064, "plain_text": "Lazarus APT’s Operation Interception Uses Signed Binary\r\nPublished: 2022-12-20 · Archived: 2026-04-05 14:27:09 UTC\r\nMalware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS\r\nusers. We came across one such sample and this time they are baiting users with job vacancies at Coinbase while\r\nsilently pushing a signed binary in the background and doing their malicious activity. This is an instance of\r\nOperation In(ter)ception by Lazarus.\r\nThis malware under consideration is a fat binary containing x86_64 and ARM64 architecture compiled executable\r\nthat can be executed in both Intel \u0026 Apple silicon machines.\r\nFigure 1 : Fat binary\r\nThe malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of\r\nnow.\r\nFigure 2 : Revoked certificate\r\nWhen executed, it drops 4 files in the folder ~/Library/Fonts (The ~ character stands for the user’s home\r\ndirectory).\r\n1. A PDF document named Coinbase_online_careers_2022_07.pdf\r\n2. A package bundle named FinderFontsUpdater.app which contains a fat binary\r\n3. A downloader agent which connects to the C2 named safarifontsagent. This is also a fat binary\r\n4. A zero byte file named Finder.\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 1 of 7\n\nThe PDF contains job details at Coinbase company. The PDF is created with Microsoft Word 2019, version 1.7.\r\nThe author of the document is mentioned as “UChan”.\r\nFigure 3 : Dropped pdf properties\r\nAs the malware executes, the pdf pops up on the screen but in the background the malware begins its malicious\r\noperation, starting with wiping the current saved state of the terminal. \r\nFigure 4 : Removing the saved state of terminal\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 2 of 7\n\nThen it drops 2 files and then extracts those files using tar command into FinderFontsUpdater.app and\r\nsafarifontsagent.\r\nFigure 5 : Extracting the dropped files into executable binaries\r\nOnce the 2 files have been extracted, LaunchAgent is created in the name of iTunes_trush with the target binary\r\nset as safarifontsagent, using the function startDaemon().\r\nFigure 6 : LaunchAgent created\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 3 of 7\n\nFigure 7 : Dropped files\r\nAfter dropping the above files, the malware executes FinderFontsUpdater.app (2nd stage). \r\nFigure 8 : The second stage file gets executed by the malware\r\nThe main function of FinderFontsUpdater.app is to execute safarifontsagent (3rd stage) binary which\r\ncommunicates with the C2.\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 4 of 7\n\nFigure 9 : Function to execute the 3rd stage malware\r\nUpon execution, the safarifontsagent calls a user defined function named DownloadFile() with couple of\r\narguments, one of the arguments is an URL “hxxps(:)//concrecapital(.)com” appended with the user name of the\r\nvictim machine which can be seen in Figure 10.\r\nFigure 10 : Argument of the DownloadFile() function \r\nThen the malware queries the system with commands like getuid, getpwuid, getuname etc., to get information.\r\nAfter that, it uses the commands “sw_vers -productVersion” \u0026 “sysctlbyname hw.cpufrequency” to get\r\ninformation about the victim’s machine . \r\nAfter that the malware calls the curl_easy_init() function to get a curl handle for communication with C2.\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 5 of 7\n\nFigure 11 : Curl commands to receive the payload\r\nThen the malware opens the Finder file in ‘wb’ (Open for writing in binary) mode.\r\nThe malware uses the information that was gathered earlier, i.e. product version, cpu speed etc. and appends it to\r\nthe url hxxps(:)//concrecapital(.)com. Then the url with the appended data is passed as an argument to\r\ncurl_easy_setopt() function.\r\nFigure 12 :URL to get the payload from the C2\r\nIt then uses functions like  curl_easy_setopt \u0026 curl_easy_perform to connect to the C2 and get the payload that\r\nwill be written in the Finder file.\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 6 of 7\n\nFigure 13 : Finder file is opened in write mode and Curl operations in motion\r\nThe C2 server was not alive to respond so we were unable to find out what the payload was.\r\nThreat actors targeting macOS users are increasing everyday. So, as a user, one needs to be cautious when\r\nexecuting unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus\r\nfor Mac” and to keep it updated so as to stay safe from such threats.\r\nIOCs \r\nHash : 4a7a1626b6baf8c917945b8fc414c8b9 (parent malware)\r\nDetection Name :  Trojan ( 0040f2c11 )\r\nSource: https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nhttps://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/" ], "report_names": [ "lazarus-apts-operation-interception-uses-signed-binary" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd77be9968c1e62d9636effa19d9d80a97961134.pdf", "text": "https://archive.orkl.eu/fd77be9968c1e62d9636effa19d9d80a97961134.txt", "img": "https://archive.orkl.eu/fd77be9968c1e62d9636effa19d9d80a97961134.jpg" } }