North Korean-linked threat actor Lazarus has been employing at least four new Mac-targeting malware families in recent attacks, SentinelOne security researchers reveal.
Active for over a decade and also referred to as Hidden Cobra, Lazarus has started targeting Macs rather recently, mainly in financially motivated cyberattacks, some targeting cryptocurrency exchanges, such as the AppleJeus campaign.
Some of the most recent malware families that Lazarus has been leveraging in attacks include the macOS version of the DaclsRAT, and the cross-platform MATA framework, which also targets Windows and Linux systems.
In a July 27 report, SentinelOne revealed that a newer version of DaclsRAT was deployed on April 1, on a more recent macOS platform release, “indicating if nothing else that the malware authors were vigilant at keeping up with macOS updates on their own machines, whether virtual or metal-based.”
The malware is distributed as a trojanized one-time-password (OTP) application named TinkaOTP, with two variants observed. One of them carries the payload in the resources folder, while the other downloads it from the command and control (C&C) server.
In addition to the DaclsRAT malware, which appears related to the MATA framework, Lazarus has used in recent months trojanized cryptocurrency-related software, such as CoinGoTrade and Cryptoistic, which are written in Objective-C and Swift, respectively.
Simultaneously with all three new malware variants, Lazarus has started using a lightweight backdoor written primarily in Objective-C and C and referred to as OSX.Casso, which also has a Windows counterpart. The backdoor, SentinelOne says, represents an evolution of the Lazarus-related executable ‘Flash Player’.
More recently, Lazarus appears to have been working with two additional malware families, referred to as WatchCat and MediaRemote, based on observed strings for “com.apple.watchcat.plist” and “MediaRemote.app,” with detections increasing rapidly over the past 14 days.
The samples show code overlaps with previous backdoors and trojanized OTP apps, but “there is also much more to this malware that has not been seen in the other samples, including use of a WebShell and an onboard crc32 table for decrypting a config file,” SentinelOne says. WatchCat, however, has yet to be observed in the wild.
“All of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors behind the Lazarus group are pursuing several distinct campaigns, using a variety of technologies, and are themselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform,” SentinelOne concludes.