Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/23/2018
03:07 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lazarus Group Builds its First MacOS Malware

This isn't the first time Lazarus Group has infiltrated a cryptocurrency exchange as the hacking team has found new ways to achieve financial gain.

Same goals, new tools: Lazarus Group is targeting cryptocurrency exchanges with macOS malware, a sign the nation-state group is developing attacks for a broader variety of platforms to achieve its goal of financial gain.

This is the first case in which Kaspersky Lab researchers spotted Lazarus Group using malware targeting macOS. It seems the group - believed to be out of North Korea - wants to ensure OS platforms don't interfere with infecting targets, so it's building malware for different operating systems. A version of the same malware tailored for Linux is reportedly in the works.

This should serve as a wake-up call for users of non-Windows platforms, researchers note.

Kaspersky Lab discovered the so-called Operation AppleJeus while investigating a cryptocurrency exchange attacked by Lazarus Group. Its target had been hit with a Trojanized cryptocurrency application recommended to the company via email. One employee opened the message and downloaded the third-party app, infecting their machine with an old Lazarus Group tool dubbed Fallchill.

Multiple reports, including one from US-CERT, in the past year have pointed to the reappearance of Fallchill. The malware, a fully functional remote access Trojan, has been leveraged in attacks on the aerospace, finance, and telecommunications industries since 2016. Kaspersky researchers used the appearance of Fallchill in this scenario as a base for attribution to Lazarus Group.

In Operation AppleJeus, the malicious code was pushed in an update to Celas Trade Pro, a cryptocurrency trading app from Celas Limited. The vendor has a valid digital certificate for signing software and legitimate-looking registration records for its domain. However, researchers couldn't find a legitimate business located at the address noted on the certificate.

"When you start looking at bits and pieces behind the application, even that starts looking more and more illegitimate," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

When someone downloads the app only macOS, a hidden "autoupdater" module is installed in the background to begin immediately after the app is installed and after each system reboot. In most applications, updater components are used to download new program versions.

In the case of AppleJeus, the updater is used to collect information about the target machine and transmit the data back to the command-and-control server. If attackers decide it's worth infecting, they send a software update to install Fallchill. The Trojan provides attackers with "almost unlimited access" to the victim machine, giving them leeway to steal valuable financial data or deploy additional tools to snatch information.

Mac Attack

Lazarus Group developed software to target both the Windows and macOS platforms, and the malware works exactly the same on both operating systems. The extension to macOS is a recent and very narrow trend, Baumgartner notes.

"For the most part we see APT, we see mass exploitations, we see a lot of malware targeting Windows users," he explains. "This is the first time we've seen Lazarus in particular targeting macOS and users."

Why the move to Mac? Baumgartner isn't sure, but he speculates there is a possibility that cryptocurrency traders, and people on the cryptocurrency exchanges, are more interested – "and disproportionately interested" – in using macOS.

"There's no answer as to why, but that is new for them and it is unusual," he points out. Other threat groups, particularly Russian- and Chinese-speaking groups, have previously targeted macOS. It's a new move for Lazarus Group, but this isn't a one-time attack. "They're broadening the platforms they support," he adds. "They're going to continue going after macOS."

Because the Fallchill backdoor and C2 infrastructure have only been associated with the Trojanized cryptocurrency trading app, researchers believe the sole motive is financial gain.

Spotting Slip-ups: Where Lazarus Makes Mistakes

Baumgartner points out how Lazarus Group has a habit of dropping breadcrumbs, which simplify the process of attributing campaigns to the organization. One of the most interesting findings here comes from an additional backdoor hidden in hardcoded headers to communicate with the C2 server.

The Accept-Language HTTP header string revealed a language code associated with North Korea, which researchers say is unusual for malware. It seems the attackers forgot to change something in their developer environment, says Baumgartner.

"They make little mistakes every now and then that give us those insights into what is really behind this activity," he continues. In a previous incident, a malware operator was using multiple IPs connecting between France and Korea, but one short connection was made from an unusual IP range originating in North Korea.

"They do drop breadcrumbs, and these are pretty good breadcrumbs."

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
8/24/2018 | 10:09:51 AM
Re: Not the first malware
@mahmoodn It's Lazarus Group's first macOS malware variant, as noted in the article. And yes, there are definitely other macOS malware variants out there, but not from Lazarus. 
mahmoodn
0%
100%
mahmoodn,
User Rank: Apprentice
8/24/2018 | 3:06:22 AM
Not the first malware
Hi, What do you mean exactly by "the first macos malware"? There were Leap and RSPlug in the past decade.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.