New Malware Attack by Lazarus Group Targets macOS Users
Four Steps To Protect Yourself
The operation, conducted by the notorious Lazarus group, targeted a cryptocurrency exchange in Asia with the goal of stealing cryptocurrency from victims. What sets this attack apart is the fact that it targets macOS users, which is the first observed case of Lazarus distributing malware for this platform.
The attack began when an employee of the cryptocurrency exchange unknowingly downloaded a third-party application from a seemingly legitimate website of a software developer for cryptocurrency trading. The application appeared normal, but one component stood out - an updater.
This updater, disguised as a software update, acted as a reconnaissance module. It collected information about the computer and sent it back to the command and control server. If the attackers deemed the computer worth attacking, they would send a malicious software update that installed a Trojan known as Fallchill.
Once installed, the Fallchill Trojan provided the attackers with unlimited access to the compromised computer, allowing them to steal valuable financial information or deploy additional tools for their nefarious purposes. What is particularly concerning about this operation is that the malware was developed for both Windows and macOS platforms, with the functionalities being the same for both.
Another peculiar aspect of the AppleJeus operation is that it initially appeared to be a supply-chain attack. The vendor of the cryptocurrency trading software used to deliver the malware had a valid digital certificate and legitimate registration records for the domain.
However, upon further investigation, Kaspersky Lab researchers could not identify any legitimate organization at the address provided in the certificate's information.
Vitaly Kamluk, Head of GReAT APAC team at Kaspersky Lab, commented on the incident, stating:
"For macOS users, this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies." He emphasized the growing interest of the Lazarus group in cryptocurrency markets and their willingness to go to great lengths to conduct cyberattacks.
To protect against sophisticated cyber attacks like those conducted by Lazarus, Kaspersky Lab security experts offer the following advice:
1. Do not blindly trust the code running on your systems, even if it appears authentic or comes from a reputable company. Digital certificates and legitimate-looking websites do not guarantee the absence of backdoors.
2. Utilize robust security solutions equipped with malicious-behavior detection technologies that can catch previously unknown threats.
3. Subscribe to a high-quality threat intelligence reporting service to gain early access to information on the latest tactics, techniques, and procedures employed by sophisticated threat actors.
4. Use multi-factor authentication and hardware wallets when engaging in significant financial transactions.
The Lazarus group, known for its sophisticated operations and links to North Korea, has previously targeted banks and large financial enterprises. As cryptocurrency becomes increasingly popular, it is crucial for users to remain vigilant and implement strong security measures to protect their digital assets.