Researchers at Kaspersky Lab’s Global Research and Analysis Team (GReAT) have discovered a new form of malware that has ties to the infamous Lazarus group.
The malware is known as AppleJeus and according to GReAT it is the first time it has seen malware that targets macOS from the hacking group.
The malware was reportedly used to penetrate the network of an Asian cryptocurrency exchange with the goal of stealing crypto currency.
Based on analysis of the incident GReAT says that an employee at the exchange unknowingly downloaded software from a legitimate looking website. For obvious reasons we will not be linking to the vendor or the website the malware came from.
“The application’s code is not suspicious, with the exception of one component – an updater. In legitimate software such components are used to download new versions of programs. In the case of AppleJeus, it acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update,” explains GReAT.
That update contains a Trojan known as Fallchill which gives an attacker unfettered access to an infected PC or Mac.
Comparisons have been draw to a supply chain attack but GReAT believes otherwise.
The researchers note that the vendor through which the malware was delivered has a valid digital certificate for signing software and legitimate looking registration records. The overwhelming consensus however, seems to be that Lazarus Group created a fake company as no public record of the firm can be found.
“The fact that they [Lazarus Group] developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” writes Vitaly Kamluk, head of the GReAT team.
“For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies,” Kamluk added.
Kaspersky Lab experts advise companies and individuals take the following precautions to protect against attacks from attackers such as Lazarus Group.
- Do not automatically trust the code running on your systems. Neither an authentic looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors.
- Use a robust security solution, equipped with malicious-behavior detection technologies that enable even previously unknown threats to be caught.
- Subscribe your organisation’s security team to a high quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.
- Use multi-factor authentication and hardware wallets if you are dealing with significant financial transactions. For this purpose, preferably use a standalone, isolated computer that you do not use to browse the internet or read email.