Lazarus, the North Korean state-sponsored hacking group, is using “homemade macOS malware” to compromise crypto businesses, according to security experts Kaspersky. In an update of their 2018 report, Operation AppleJeus, Kaspersky reveals that the group has developed its own macOS malware and are being stealthier in how they deploy it.
MacOS Users Targeted
2018’s AppleJeus report showed how Lazarus had moved onto targeting macOS users, given that Apple products are preferred by a large number of crypto startups. Lazarus chose to target this group because the crypto boom had put billions of dollars’ worth of funds in the hands of amateurs who had no idea how to protect their sudden windfall, in particular ICO recipients and exchange operators, who they have successfully hacked in the past – to the point where the US applied sanctions based on the rogue nation’s cyber crime activities.
To do this, the group invented a fake company through which to deliver their manipulated application, exploiting the high level of trust among potential victims to make off with their ill-gotten gains.
Lazarus’ Change of Tactics
Lazarus has since changed their tactics, potentially in response to Kaspersky drawing attention to their exploits:
To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk.
Kaspersky cites an increase in macOS malware similar to that already used by Lazarus to illustrate their point that Lazarus has increased its attacks on macOS systems:
After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses. We found more macOS malware similar to that used in the original Operation AppleJeus case. This macOS malware used public source code in order to build crafted macOS installers. The malware authors used QtBitcoinTrader developed by Centrabit.
Other software Kaspersky revealed was used by Lazarus included an app called UnionCryptoTrader, which successfully collected critical information without impacting the disk, while the group is also confident exploits have been executed through the Telegram app.
Kaspersky’s report underlines the importance of only using software that has come through official Apple/Windows app stores, or through suppliers you can be 100% are legitimate.