North Korean hacker group targets macOS with cryptojacking malware
MANILA, Philippines - Lazarus, a notorious North Korean hacker group is said to be responsible for recent breaches of several global banks and cryptocurrency exchanges, according to security firm Kaspersky Lab.
The group is suspected of having developed and deployed a malware that can remotely and secretly take over a computer in a campaign to steal cryptocurrency.
Kaspersky Lab traced one such attack back to an email that convinced a company employee to download a third-party cryptocurrency trading app that was actually a Trojan, a harmful program in disguise. The app contained a malware strain called Fallchill, a tool employed by the suspected cybercrime group in the past. (READ: Hackers target smartphones to mine cryptocurrencies)
The researchers claim that the app in question, called Celas Trade Pro, “showed no signs of malicious behavior” and “looked genuine.” They later discovered that the installation package downloaded from the Celas website confirmed the presence of a suspicious updater that would deploy the malware.
“First it (the app) collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update,” Kaspersky Lab explained.
Kaspersky has also learned that the Lazarus developed the malicious software for both Windows and Mac operating systems. While the app functions the same way for both platforms, this appears to be the first time the cybercrime group has targeted the macOS. (READ: Cryptocurrency mining hijackings up 8,500% – Symantec)
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” the researchers said. “For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.”
When the researchers investigated Celas, they found that the website domain was paid for using cryptocurrency and had a ramen shop as its physical address; leading them to suspect that the company was just created by the North Koreans.
Lazarus is behind a number of highly-publicized attacks including the Sony Pictures breach in late 2014 that gave the hackers access to the company’s internal emails and unreleased films.
Kaspersky Lab warns businesses relying on third-party software to be vigilant of Lazarus’ sophisticated operations. “Do not automatically trust the code running on your systems. Neither good-looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. – Rappler.com