Bleeping Computer: Dinesh Devadoss discovered a new malware that targets macOs with a very low detection rate. Patrick Wardle attributed it to Lazarus APT
Lazarus North Korean hackers target macOs with a new malware. According to Bleeping Computer, it has a very low detection rate and comes with capabilities that allow it to retrieve a payload from a remote location and run it in memory, making the forensic analysis more difficult. Cyber security researcher Dinesh Devadoss provided a hash for the new threat, that could load a mach-O executable file from memory and execute it. Checking the sample on VirusTotal shows that its detection is almost inexistent. At the moment of writing, just four antivirus engines flagged it as malicious, improving to five at publishing time. Security researcher and macOS hacker Patrick Wardle analyzed the APT malware found by Devadoss and determined that “there are some clear overlaps” with another first-stage implant attributed to Pyongyang state sponsored group and found by MalwareHunterTeam less than two months ago.
The cyber security experts: The North Korean hackers malicious code is hosted in a cryptocurrency trading platform. The campaign is similar to Operation AppleJeus
According to the cyber security experts, the new APT sample is packaged under the name UnionCryptoTrader and was hosted on a website called “unioncrypto.vip” that advertises a “smart cryptocurrency arbitrage trading platform” but provides no download links. The package is not signed, which means that opening it will trigger a warning from the operating system (OS). In a detailed analysis, Wardle notes that the malware has a ‘postinstall’ script that installs the ‘vip.unioncrypto.plist’ launch daemon for persistence. Furthermore it’s fileless, a rare feature for macOS malicious codes. Moreover all the implant is similar to Operation AppleJeus, a Lazarus campaign discovered by Kaspersky. In the attacks was used a trojanized cryptocurrency trading application, signed with a valid certificate issued for a company that did not exist at the address listed in the certificate information.