Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korean Hackers Hit Cryptocurrency Exchange with macOS Malware

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

Active since at least 2009 and supposedly backed by the North Korean government, Lazarus is considered the most serious threat to banks. The group is said to have orchestrated a large number of high profile attacks, including the Sony hack in 2014 and last year’s WannaCry outbreak.

In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges. In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware.

What made this attack stand out compared to other Lazarus-linked incidents, however, was the fact that the attackers designed their malware to target macOS too, in addition to Windows. This is the first time Lazarus is observed using malware for Apple’s operating system, Kaspersky says.

“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the security firm points out.

The malicious code, however, wasn’t delivered alongside the application’s installation package. Instead, it was pushed to the target machine in the form of an update, Kaspersky’s security researchers have discovered.

The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. An all-in-one style cryptocurrency trading program, it showed no signs of malicious behavior at first.

However, at the end of the installation process, it was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image.

Advertisement. Scroll to continue reading.

Based on the server’s response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.

“For macOS users, Celas LLC also provided a native version of its trading app. A hidden ‘autoupdater’ module is installed in the background to start immediately after installation, and after each system reboot,” Kaspersky explains.

The module would continuously contact the command and control (C&C) server to fetch and run an additional executable file. The communication with the server is performed in a manner similar to that employed by the Windows version, with the system information being sent encrypted, disguised as an image file upload and download.

The Updater application is unlisted in the Finder app or default Terminal directory listing and is passed the command-line argument “CheckUpdate” at launch. Apparently, the application quits if no argument is fed, likely a way to trick detection by sandboxes.

The updater works the same as the Windows variant, both being implemented using the cross-platform Qt framework. At execution, it creates a unique identifier for the infected host, collects basic system information, then encrypts the data and transfers it to the attacker’s server.

The dropped executable file has an unusually large size, likely because it was inflated with junk data. The main purpose of the malware is to implant the Fallchill backdoor loader onto the compromised machine.

The Fallchill backdoor is a piece of malware formerly attributed to the Lazarus group that contains “enough functions to fully control the infected host,” Kaspersky points out. The malware operators appear to be reusing code and C&C infrastructure over and over again, the security firm also notes.

“Lazarus group has entered a new platform: macOS. […] We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once,” Kaspersky says.

What is yet unclear, however, is whether Lazarus was able to compromise Celas and abuse its update mechanism to deliver malware, or if the hackers managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” thus creating a fake supply chain.

Related: North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.