The famous North Korean Hacking group, Lazarus APT Group, has created a malware to target Apple Macs. Representing some fake cryptocurrency firm, the malware is undetected by many engines on VirusTotal. To date, not a single-engine on VirusTotal was capable of detecting the malware.
Although the malware may appear as something completely new, upon investigating MalwareHunterTeam (MHT) researchers revealed that the malware had some similarities with other malware created by Lazarus in the past that was identified by Kaspersky Labs. At that time, the group used the PowerShell system to control both, Windows and macOS software. The reports published by Kaspersky Labs explaining the methodology opted by Lazarus read:
They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.
Like last time, the group set up a fake cryptocurrency firm named to attack Apple Macs. The name of the firm was ‘JMT Trading’. Actually, the group uploaded a cryptocurrency trading app on GitHub along with the malware. Intentionally, the trading app was made open source so that people could easily download it and the malware as well.
Patrick Wardle, Apple Mac security specialist and principal security researcher at Jamf, analyzed the application and its installation process. He discovered a suspicious package and a launch daemon and tried to understand the functionality of the hacker’s backdoor script.
According to Wardle, malware should have been detected by open source tools and manual detection processes. However, after clarifying that malware was somehow bypassing security protocols, the security specialist explained that only cryptocurrency employees were open to danger. In contrast, Wardle elaborated that daily retail investors weren’t the primary target of malware.
As mentioned earlier, this isn’t the first time for Lazarus attempting to manipulate users with illicit practices. In fact, Lazarus is widely-known for stealing as much as $571 million in a year. Back then, Dmitry Volkov, the CTO of Group-IB, regarded Lazarus as one of the four most dangerous hacking groups in the crypto space.
The dangerous hacking group releasing various malware and operating several hacks has been very active in the space for a while. According to the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), there are several hacking groups based in Korea that are backed by the Korean Government. In this regard, the exact words of the U.S Treasury were:
Today’s actions identify North Korean hacking groups commonly known within the global cyber security private industry as “Lazarus Group,” “Bluenoroff,” and “Andariel” as agencies, instrumentalities, or controlled entities of the Government of North Korea…
Besides Lazarus, there are a plethora of Korean hackers active in the space. A few months ago, Kim Soo-ki, the North Korean hacking group, was alleged for hacking South Korean exchange UpBit. Display a great degree of mindfulness, a hacker posing as a representative of UpBit approached customers of UpBit via email and asked for more of their information.
Apart from requesting personal information, a file was attached in the email which when downloaded by a user was responsible for accumulating and sending data regarding the user’s machine, private keys as well as logins to the hackers.
Hackers and scammers in the space have been decimating the repute of cryptocurrencies since the inception of bitcoin. Let’s see how bad actors in the space are dealt with by authorities and regulators belonging to different countries.