North Korean hacker group targets macOS with cryptojacking malware
MANILA, Philippines - Lazarus, a notorious North Korean hacker group is said to be responsible for recent breaches of several global banks and cryptocurrency exchanges, according to security firm Kaspersky Lab.
The group is suspected of having developed and deployed a malware that can remotely and secretly take over a computer in a campaign to steal cryptocurrency.
Kaspersky Lab traced one such attack back to an email that convinced a company employee to download a third-party cryptocurrency trading app that was actually a Trojan, a harmful program in disguise. The app contained a malware strain called Fallchill, a tool employed by the suspected cybercrime group in the past. (READ: Hackers target smartphones to mine cryptocurrencies)
The researchers claim that the app in question, called Celas Trade Pro, “showed no signs of malicious behavior” and “looked genuine.” They later discovered that the installation package downloaded from the Celas website confirmed the presence of a suspicious updater that would deploy the malware.
“First it (the app) collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update,” Kaspersky Lab explained.
Kaspersky has also learned that the Lazarus developed the malicious software for both Windows and Mac operating systems. While the app functions the same way for both platforms, this appears to be the first time the cybercrime group has targeted the macOS. (READ: Cryptocurrency mining hijackings up 8,500% – Symantec)
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” the researchers said. “For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.”
When the researchers investigated Celas, they found that the website domain was paid for using cryptocurrency and had a ramen shop as its physical address; leading them to suspect that the company was just created by the North Koreans.
Lazarus is behind a number of highly-publicized attacks including the Sony Pictures breach in late 2014 that gave the hackers access to the company’s internal emails and unreleased films.
Kaspersky Lab warns businesses relying on third-party software to be vigilant of Lazarus’ sophisticated operations. “Do not automatically trust the code running on your systems. Neither good-looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. – Rappler.com
In these changing times, courage and clarity become even more important.
Take discussions to the next level with Rappler PLUS — your platform for deeper insights, closer collaboration, and meaningful action.
Sign up today and access exclusive content, events, and workshops curated especially for those who crave clarity and collaboration in an intelligent, action-oriented community.
As an added bonus, we’re also giving a free 1-year Booky Prime membership for the next 200 subscribers.
You can also support Rappler without a PLUS membership. Help us stay free and independent by making a donation: https://www.rappler.com/crowdfunding. Every contribution counts.