NORTH KOREAN HACKERS Lazarus has unleashed its first malicious operation that targets macOS users.
Russian security company Kaspersky’s Global Research and Analysis Team (GReAT) uncovered the op, dubbed ‘AppleJeus’, which saw Lazarus penetrating the IT systems of an Asia-based cryptocurrency exchange platform.
According to GReAT, the goal of the attack was to – unsurprisingly – steal cryptocurrency from their victims.
In addition to Windows-based malware, the researchers were able to identify a previously unknown version targeting Apple’s macOS operating system.
“This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets macOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity,” the firm said in a statement.
“Based on the analysis by GReAT, the penetration of the stock exchange’s infrastructure began when an unsuspecting company employee downloaded a third-party application from the legitimate looking website of a company that develops software for cryptocurrency trading.”
GReAT said the application’s code is not suspicious, with the exception of one component – an updater. The hack was able to happen because in legitimate software, such components are there because they’re used to download new versions of programmes.
“In the case of AppleJeus, [the updater component] acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update,” the team explained.
The malicious update then installs a Trojan known as Fallchill, an old tool that the Lazarus Group has recently switched back to. This provided the researchers with a base for attribution.
“Upon installation, the Fallchill Trojan provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose,” it added.
The situation was made worse by the fact that the criminals have developed software for both the Windows and macOS platform, the latter of which is generally far less exposed to cyber threats than Windows.
“The functionality of both platform versions of the malware is exactly the same.”
Kaspersky’s GReAT team noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator.
However, since then, they said they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organisations.
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation,” Kaspersky’s Head of GReAT APAC team, Vitaly Kamluk, said.
“We should definitely expect more such cases in the near future.
“For macOS users, this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.” µ
Source : Inquirer