AppleJeus: macOS users targeted in new Lazarus attacks

The campaign includes the distribution of Apple macOS malware for the first time.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a new campaign by the infamous Lazarus group which targets cryptocurrency exchanges in order to spread malware to Windows and macOS users.

According to Kaspersky Lab, the new campaign, dubbed AppleJeus, first surfaced in an attack against a cryptocurrency exchange. Based in Asia, the cryptocurrency trading post's network was infected with a Lazarus Trojan, leading to the distribution of the malware to both Windows and macOS machines.

The team says that the Trojan -- which was previously only connected to Windows machine infections -- aims to steal cryptocurrency from users.

This is the first time that Lazarus, which is believed to be a state-sponsored North Korean threat group, has been caught distributing malware for Mac machines.

North Korea has also been linked to attacks including the WannaCry ransomware outbreak and bank heists.

See also: Critical remote code execution flaw in Apache Struts exposes the enterprise to attack

Previously, Lazarus has been connected to attacks against South Korean think tanks and other political targets which utilize Windows zero-day vulnerabilities.

Despite the fact that the state-sponsored group has been rewriting old code to create new attacks, they should not be underestimated.

One of the latest targets of interest to the group appears to be cryptocurrency, potentially due to the virtual coins' worth as a financial asset. Lazarus has already initiated a set of cryptocurrency theft-related schemes, including the use of phishing emails embedded with malware designed to compromise user wallets.

TechRepublic: How Samsung's Knox keeps business data private and secure

This trend appears to have continued but emails are no longer enough -- now, entire exchanges are on the Lazarus radar.

Lazarus has not gone in with all guns blazing, however. Instead, the threat group permeated the exchange by creating and offering seemingly legitimate software online.

Kaspersky says that a company employee unwittingly downloaded a third-party application from a website domain offering software for cryptocurrency trading. The website and software did not appear malicious.

However, the software contained an updater module which collects basic information on PCs and sends the data to a command-and-control (C&C) server.

If the threat actors decide the PC is "worth attacking," then a software update is sent, according to the researchers. This 'update,' available in both Windows and Mac variants, installs the Fallchill Trojan, an old tool which Lazarus has recently picked back up.

The Trojan can be used for the theft of financial information and wallet compromise, as well as the execution of additional malicious payloads.

The company which offered the malicious software has a valid digital certificate for signing the software, which would make detecting the malicious element of the software extremely difficult. Kaspersky was also unable to identify the organization that offered the certificate.

CNET: Facebook pulls its Onavo security app from Apple App Store

"We noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017 when Monero mining software was installed on one of their servers by a Lazarus operator," said Vitaly Kamluk, Head of GReAT APAC, Kaspersky Lab. "Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations."

"The fact that they developed malware to infect macOS users in addition to Windows users and -- most likely -- even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," Kamluk added.

North Korea's history of bold cyber attacks

Previous and related coverage

Editorial standards