North Korea’s notorious cyber-hacking outfit, “Lazarus Group,” has reportedly deployed a MacOS-based malware to infiltrate cryptocurrency exchanges and applications, according to Kaspersky Labs.
North Korean Attackers Strike
To date, Lazarus remains an unknown entity, with no information on the number of individuals identifying with the outfit. Lazarus first made waves in 2009 after launching a worldwide Distributed Denial of Service (DDoS) attack against the South Korean government in 2009.
The group also gained fame after attacking Sony in 2014 and stealing over $15 million from a Spanish bank in 2015. Now, the group has launched its first-ever MacOS-based virus, which is aimed at 2018’s most infamous cybercrime–cryptojacking.
According to the report, Lazarus infiltrated the computer systems of an Asia-based cryptocurrency exchange, keeping its identity secure.
Vitaly Kamlut, head of Kaspersky’s global research and analysis team in the APAC region, revealed the exchange did not face any financial losses, at least to their knowledge. The researcher also stated that the exchange in question may have successfully eradicated the threat after Kaspersky notified them.
Employee Discovers Attacks
Kaspersky Labs used the pseudonym of “Operation AppleJeus” to discover the nefarious agency behind the hack. The company was first informed about the fallacy after an employee downloaded a cryptocurrency application from a legitimate-looking website dedicated to crypto trading.
However, the employee soon discovered the application was fraudulent and infected with malware. Running on Windows, the program automatically connected to the internet and downloaded “Fallchill,” a remote access trojan (RAT) virus that has been identified as the Lazarus Group’s signature attack, at least since its deployment in political campaigns in 2016.
The Windows-targeting Lazarus went a step further for this instance and created a MacOS counterpart for Fallchill, hiding the strain in the Mac version of the crypto trading app.
Researchers noted that the virus was not embedded in the code frame of the infected application. Instead, it’s updated component was modified with code to download the malware when a user installed the application. Such a step avoided the crypto trading app from getting flagged during initial download.
Fake Digital Certificate
Researchers also found the application was signed by a secure digital certificate, despite containing a trojan, allowing the malicious download code to bypass several security checks.
However, the biggest mystery in this regard was that Kaspersky researchers could not find and verify an address for the digital signatory firm’s location, i.e. it did not exist at the provided addresses.
“The fact that they developed malware to infect MacOS users in addition to Windows users and–most likely–even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions.”
Kamlut believes the development indicates bigger moves by Lazarus in the near future, potentially generating “big profits” for the outfit.
While Kaspersky did not reveal the infected exchange’s name, the company noted that North Korean attackers have “shown great interest” in infiltrating fiat and digital finance companies to re-route stolen funds to their country.
Cover Photo by Ciaran O'Brien on Unsplash