Lazarus Group’s AppleJeus MacOS malware targeting cryptocurrency exchanges

Lazarus Group's AppleJeus MacOS malware targeting cryptocurrency exchanges
68924962 – cyber attack with unrecognizable hooded hacker using tablet computer, digital glitch effect

Lazarus Group is believed to be backed by the North Korean government and now it is using AppleJeus MacOS Malware.

Security researchers from the Global Research and Analysis Team at Kaspersky Lab have discovered the first-ever Lazarus deployed malware for MacOS. It is reported that Lazarus has launched a new hacking campaign using AppleJeus malware.

The group is targeting financial institutions, cryptocurrency exchanges, and fintech firms with trojanized cryptocurrency malware. For your information, Lazarus is a group of hackers having the backing of the North Korean government and made headlines back in 2014 for hacking Sony Pictures over the movie The Interview.

Researchers identified that Lazarus infiltrated a cryptocurrency exchange based in Asia using a new malware to attack the Mac OS platform. It is perhaps the very first time that the group has used malware to target Mac devices. Vitaly Kamluk, head of the research team, noted that:

“This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets MacOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity.”

The device is infected with malware after copies of the malicious code are downloaded from a seemingly legit website of a cryptocurrency trading software developing company. The app initially doesn’t show any signs of foul play. However, researchers noted that the website showed an unverifiable address and certificate of the company.

The malware was sent via an updated component. This component usually is present in authentic software used for downloading new versions of apps or updates. The code is disguised as a software update. After it collects information about the host computer and the attacker decides to target that device, the update immediately installs a Trojan called Fallchill.

“In the case of AppleJeus, acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update,” researchers explained.

Fallchill allows attackers unlimited access to the targeted device; they can steal confidential data including financial information. They may deploy additional tools to keep extracting sensitive information.

Involvement of Lazarus in this malware campaign is proven by the fact that Fallchill Trojan is used, which the hacker group has used in its previous campaigns too. AppleJeus was discovered by Kaspersky Labs in 2017. Researchers claim that it is concerning that the campaign involves Windows-based malware as well along with malware targeting MacOS, and both versions of malware work exactly in the same way. It was also noted that the targeted exchange’s infrastructure was infiltrated after a company employee downloaded a third-party app mistakenly.

Image credit: Kaspersky

Kaspersky Lab recommends that businesses must not trust code run by their systems because neither digital certificates nor good reputation is a sure-shot proof of a website being harmless and free from backdoors. Stringent security solutions are required using advanced technological mechanisms to detect malicious activity immediately. Also, businesses must use hardware wallets and enable multi-factor authentication processes while carrying out large financial transactions.

Related Posts