Connect with us

Hi, what are you looking for?



North Korean Hackers Hit Cryptocurrency Exchange with macOS Malware

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

Active since at least 2009 and supposedly backed by the North Korean government, Lazarus is considered the most serious threat to banks. The group is said to have orchestrated a large number of high profile attacks, including the Sony hack in 2014 and last year’s WannaCry outbreak.

In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges. In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware.

What made this attack stand out compared to other Lazarus-linked incidents, however, was the fact that the attackers designed their malware to target macOS too, in addition to Windows. This is the first time Lazarus is observed using malware for Apple’s operating system, Kaspersky says.

“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the security firm points out.

The malicious code, however, wasn’t delivered alongside the application’s installation package. Instead, it was pushed to the target machine in the form of an update, Kaspersky’s security researchers have discovered.

The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. An all-in-one style cryptocurrency trading program, it showed no signs of malicious behavior at first.

However, at the end of the installation process, it was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image.

Advertisement. Scroll to continue reading.

Based on the server’s response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.

“For macOS users, Celas LLC also provided a native version of its trading app. A hidden ‘autoupdater’ module is installed in the background to start immediately after installation, and after each system reboot,” Kaspersky explains.

The module would continuously contact the command and control (C&C) server to fetch and run an additional executable file. The communication with the server is performed in a manner similar to that employed by the Windows version, with the system information being sent encrypted, disguised as an image file upload and download.

The Updater application is unlisted in the Finder app or default Terminal directory listing and is passed the command-line argument “CheckUpdate” at launch. Apparently, the application quits if no argument is fed, likely a way to trick detection by sandboxes.

The updater works the same as the Windows variant, both being implemented using the cross-platform Qt framework. At execution, it creates a unique identifier for the infected host, collects basic system information, then encrypts the data and transfers it to the attacker’s server.

The dropped executable file has an unusually large size, likely because it was inflated with junk data. The main purpose of the malware is to implant the Fallchill backdoor loader onto the compromised machine.

The Fallchill backdoor is a piece of malware formerly attributed to the Lazarus group that contains “enough functions to fully control the infected host,” Kaspersky points out. The malware operators appear to be reusing code and C&C infrastructure over and over again, the security firm also notes.

“Lazarus group has entered a new platform: macOS. […] We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once,” Kaspersky says.

What is yet unclear, however, is whether Lazarus was able to compromise Celas and abuse its update mechanism to deliver malware, or if the hackers managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” thus creating a fake supply chain.

Related: North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...