A new macOS malware file, suspected to be the work of the North Korean group of hackers known as Lazarus, has been discovered by security researchers. North Korean Group Linked to a New macOS.
If you haven’t previously heard that name, Lazarus is popular for cryptocurrency hoards to launch high-value attacks. The threat is served from a fake crypto trading platform.
On Tuesday, malware researcher Dinesh Devadoss received a hash for a new sample of macOS malware that could load and execute a Mach-O executable file from memory.
The latest sample is marketed under the name UnionCryptoTrader and has been hosted on a website called “unioncrypto.vip,” according to the research report.
It has been advertising a “smart cryptocurrency arbitrage trading platform,” but it does not provide links to download.
Patrick Wardle, a security researcher, did a detailed review of this new malware. He found several parallels and overlaps with some of MalwareHunterTeam’s previously identified malware.
According to Wardle’s research, necessary device data such as the serial number and OS version can be obtained. Wardle claims the Lazarus group created this malware and historical evidence supports this hypothesis.
The same team detected a MacOS malware in October this year that targeted Apple Macs through a fake cryptocurrency firm.
The researcher also discusses how a payload is executed in memory by the malware, a process he introduced at the BlackHat security conference four years ago.
The new malware has a striking similarity to an attack called Operation AppleJeus, which was found by Kaspersky and credited to the Lazarus APT team in North Korea.
In that attack, a trojanized application for crypto-currency trading was used, signed with a valid certificate issued for a company that did not exist at the address listed in the certificate information.