New MacOS malware crypto platform traced to North Korea

Getting your Trinity Audio player ready...

A new type of MacOS malware distributed through a cryptocurrency exchange has been identified by security researchers, with links to a notorious North Korean hacking group.

Security researcher Dinesh Devadoss published detailed analysis of the malware, explaining how the malware is disguised as a cryptocurrency arbitrage platform to infiltrate the MacOS systems of unsuspecting victims.

Another #Lazarus #macOS #trojan
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/

Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi

— Dinesh_Devadoss (@dineshdina04) December 3, 2019

The malware works by running a payload from a remote server on the host machine, and runs virtually undetected in the background.

In his analysis, Devadoss says the malware is similar to other types of malware put out by the North Korean hacking group Lazarus, which has been prolific in staging attacks designed to target cryptocurrency holdings.

In an analysis published on Objective-See’s blog, researchers pinned the blame on the North Korean group, after identifying several hallmarks of their attacks in its code.

Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. And their de facto method of infecting such targets is via fake crypto-currency company & trading applications.

It added, “Lazarus group continues to target macOS users with ever evolving capabilities. Today, we analyzed a new sample with the ability to remotely download and execute payloads directly from memory.”

The group has already successfully stolen in excess of $570 million in cryptocurrency across five separate attacks, with “clear overlaps” between the new malware and other hacks from the group.

The malicious software package is known as UnionCrypto Trader and collects information about user systems to relay to the remote server at reboot, including OS version and serial number.

For the time being, the hack appears harmless, with no malicious scripts being run from the remote server. However, researchers have suggested that this could be a precursor to a bigger attack, or an example of the hacking group testing out new techniques for future deployment.

While MacOS hacks are rare, attacks of this kind are beginning to gain traction, with more groups targeting MacOS systems for uncovering stashes of thievable cryptocurrency.