New Lazarus Operation Targets Windows, macOS Systems
The North Korea-linked Lazarus group has been leveraging PowerShell to target both Windows and macOS machines as part of an attack campaign that has been ongoing since at least November 2018, Kaspersky Lab reports.
Believed to be backed by the North Korean government, the Lazarus group has been accused of various high-profile attacks, including the Sony hack in 2014 and 2017’s WannaCry outbreak, and is said to be the most serious threat to banks.
Last year, the hacking group was observed targeting various cryptocurrency exchanges on multiple occasions, including the attack referred to as Operation AppleJeus, which employed the Fallchill malware.
Operation AppleJeus stood out from the crowd because of the use of malware that could target macOS too, in addition to Windows, and the group has apparently continued the trend and expanded their operations for Apple’s platform, Kaspersky now reveals.
Designed to masquerade as WordPress files (or as resources for other popular projects), custom PowerShell scripts used in the new campaign communicate with malicious command and control (C&C) servers and execute commands from the operator.
After connecting to the server, the malware can set sleep time (delay between C2 interactions), exit, collect basic host information, check status, show current malware configuration, update configuration, execute system shell command, and download / upload files.
Lazarus uses both compromised and purchased servers for their campaign, including servers from China and the European Union used to host macOS and Windows payloads. They apparently only use rented servers to host malware, while keeping the C&C scripts on compromised servers.
Based on the documents used to distribute malware, the group once again targeted cryptocurrency businesses, Kaspersky’s security researchers say. The group was apparently focused on organizations in South Korea.
Kaspersky also believes that the group used the same developers to build their macOS malware, given similarities in the functionality observed in various malware samples.
“We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus or at least use popular free virus-scanning services,” Kaspersky says.
According to a new report from cybersecurity firm Red Canary, PowerShell is by far the most prevalent MITRE ATT&CK technique used by hackers, being detected twice as often as the next most common technique.
Related: Researchers Link Chilean Interbank Attack to North Korea
Related: Was North Korea Wrongly Accused of Ransomware Attacks?