Macos Malware Targets Cryptocurrency Exchanges

Like Lazarus rising from the dead, the same-named cybercrime ring from North Korea is back – and this time they are targeting cryptocurrency exchanges using malware designed for both Windows and MacOS reports Kaspersky Lab.

On August 23, 2018, Kaspersky Lab reported that the cybercrime ring known as Lazarus Group had resurfaced with a new malware campaign – dubbed ‘AppleJeus’ by analysts – that aims to steal cryptocurrency using the trojan crypto trading software. This marks the first time that the group has deployed MacOS-based malware to breach cryptocurrency exchanges.

How It Happened

According to the report, an employee of the exchange downloaded a cryptocurrency trading application that had been recommended to the company via email. Upon installing the software, the employee’s computer was infected with the remote access Trojan ‘Fallchill’ – an older tool which the hacking group has begun using again. Unlike previous malware campaigns, however, AppleJeus was not only meant for Windows users, but for MacOS users as well.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website.
Kaspersky Lab has called this attack a “wake up call” for MacOS users who labor under the misconception that non-Windows operating systems are impervious to malware infections.

How the Malware works

Rather than include the malicious code in the initial software download, where it would have likely been detected by the user’s antivirus and/or anti-malware software, Lazarus Group did something far more insidious.

At first glance, the cryptocurrency trading app that the exchange employee downloaded, Celas Trade Pro, appears to be genuine. The AIO (all-in-one) application, developed by Celas Limited, showed no malicious behavior whatsoever. Looking closer, however, researches at Kaspersky Lab discovered what they felt was a “suspicious” updater in the application’s installation package.

In legitimate software, the updater is used to download and install new updates to the software. In this case, however, the updater acts like a reconnaissance module, initially just sending basic information about the host computer back to the hackers. If the hackers decide that the computer is worth infiltrating, the malicious code is sent to the host computer in the guise of a software update.

This “update” installs the Fallchill Trojan, which gives the hackers almost unlimited remote access to the infected computer which, according to Kaspersky Lab, “provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose.”