Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Several New Mac Malware Families Attributed to North Korean Hackers

North Korean-linked threat actor Lazarus has been employing at least four new Mac-targeting malware families in recent attacks, SentinelOne security researchers reveal.

North Korean-linked threat actor Lazarus has been employing at least four new Mac-targeting malware families in recent attacks, SentinelOne security researchers reveal.

Active for over a decade and also referred to as Hidden Cobra, Lazarus has started targeting Macs rather recently, mainly in financially motivated cyberattacks, some targeting cryptocurrency exchanges, such as the AppleJeus campaign.

Some of the most recent malware families that Lazarus has been leveraging in attacks include the macOS version of the DaclsRAT, and the cross-platform MATA framework, which also targets Windows and Linux systems.

In a July 27 report, SentinelOne revealed that a newer version of DaclsRAT was deployed on April 1, on a more recent macOS platform release, “indicating if nothing else that the malware authors were vigilant at keeping up with macOS updates on their own machines, whether virtual or metal-based.”

The malware is distributed as a trojanized one-time-password (OTP) application named TinkaOTP, with two variants observed. One of them carries the payload in the resources folder, while the other downloads it from the command and control (C&C) server.

In addition to the DaclsRAT malware, which appears related to the MATA framework, Lazarus has used in recent months trojanized cryptocurrency-related software, such as CoinGoTrade and Cryptoistic, which are written in Objective-C and Swift, respectively.

Simultaneously with all three new malware variants, Lazarus has started using a lightweight backdoor written primarily in Objective-C and C and referred to as OSX.Casso, which also has a Windows counterpart. The backdoor, SentinelOne says, represents an evolution of the Lazarus-related executable ‘Flash Player’.

More recently, Lazarus appears to have been working with two additional malware families, referred to as WatchCat and MediaRemote, based on observed strings for “com.apple.watchcat.plist” and “MediaRemote.app,” with detections increasing rapidly over the past 14 days.

The samples show code overlaps with previous backdoors and trojanized OTP apps, but “there is also much more to this malware that has not been seen in the other samples, including use of a WebShell and an onboard crc32 table for decrypting a config file,” SentinelOne says. WatchCat, however, has yet to be observed in the wild.

“All of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors behind the Lazarus group are pursuing several distinct campaigns, using a variety of technologies, and are themselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform,” SentinelOne concludes.

Related: Multi-Platform Malware Framework Linked to North Korean Hackers

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.