Stealthy MacOS Malware Tied to Lazarus APT

Researcher discovered a MacOS trojan hiding behind a fake crypto trading platform believed to be the work of the state-sponsored North Korean hackers behind WannaCry.

Researchers have identified new MacOS malware that can execute remote code in memory that they believe is the work of the powerful North Korean APT group Lazarus, they said Thursday.

Security researcher Dinesh Devadoss on Twitter posted a hash for a MacOS trojan he discovered that hides behind a fake crypto trading platform called Union Crypto Trader and can elude detection by most anti-virus software.

After Devadoss posted about his discovery, security researcher and MacOS hacker Patrick Wardle took a deeper dive into the malware, noting that the delivery method of the trojan—through a crypto-currency installer package, UnionCryptoTrader.pkg–seems an obvious sign of Lazarus involvement.

“Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges,” he wrote in a blog post. “And their de facto method of infecting such targets is via fake crypto-currency company and trading applications.”

Indeed, the newly discovered attack follows this pattern, with the installer being hosted on a website called “unioncrypto.vip” that advertises a “smart cryptocurrency arbitrage trading platform” but provides no download links, according to one report about the malware.

Cryptocurrency is just one key area of activity for Lazarus, a group sponsored by the government of North Korean that already was seen earlier this year mounting a broad cyber-criminal campaign against the cryptocurrency business.

The active and dangerous APT group also is believed to be behind the WannaCry attack that caused millions of dollars of economic damage in 2017, as well as mounted a high-profile attack against Sony Pictures Entertainment in 2014. It even has appeared to spawn a spinoff group, the entire mission of which is to steal money from banks to fund Lazarus’ cyber-criminal operations.

Wardle said the newly identified MacOS trojan also shows that Lazarus has been honing its skills, noting that “this (new) sample contains a rather sophisticated capabilities, which I’ve never seen before in (public) macOS malware.”

Wardle breaks down the malware step by step to show how it can remotely download and execute payloads directly from memory on MacOS. Once enabled, the installer executes a postinstall script at the end of the installation process, the purpose of which is to persistently install a launch daemon, he said.

“Specifically, the script will: move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons; set it to be owned by root; create a /Library/UnionCrypto directory; move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/; set it to be executable; [and] execute this binary (/Library/UnionCrypto/unioncryptoupdater),” he wrote in his post.

The malware then asks a user to enter his or her credentials to complete the install which, once finished, leaves the binary unioncryptoupdater executing and persistently installed, Wardle said. This allows the malware to perform its core capability on an infected machine: “Pure in-memory execution of a remotely downloaded payload,” he wrote, calling the capability “sexy.”

The one piece of good news about the discovery of Lazarus’ latest malware is the average Mac user doesn’t have to worry about being targeted by it, Wardle said. Moreover, as the installer package is unsigned, macOS will warn any users if they attempt to open it, he said.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.