Lazarus ATP group armed with macOS hacking technology

The Lazarus ATP group, which experts often link to North Korea government, has been armed with new technology to hack macOS computers.

[dropcap]K[/dropcap]7 Computing Security Analyst Dinesh Devadoss discovered the first malware in the Lazarus arsenal to run in Mac memory.

Dinesh Devadoss

Dinesh Devadoss

“Another #Lazarus #macOS #trojan.Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it.”, — twitted Dinesh Devadoss.

Such file-free programs work exclusively in the computer’s RAM, which allows them successfully bypassing anti-virus solutions that look for malicious files on hard drives.

Security guru Patrick Wardle examined a malware sample discovered by Devadoss this week. According to him, malware is a new round in the development of tactics used by Lazarus to quietly infect computers.

“Lazarus group continues to target macOS users with ever evolving capabilities. This (new) sample contains a rather sophisticated capabilities, which I’ve never seen before in (public) macOS malware!”, — writes Patrick Wardle.

As in other Lazarus malicious operations (in particular, AppleJeus operation), a new attack begins with the victim installing malware disguised as a legitimate cryptocurrency trading application.

Read also: American blockchain expert arrested for attending conference in North Korea

However, after launching the trojan, it demonstrates a new trick: the secondary payload (its functionality is harmful) is executed directly in memory without installing any files on the hard drive.

Patrick Wardle

Patrick Wardle

“To do this, the malware first downloads and decrypts the payload, and then using the API calls on macOS creates a so-called image of the file object. This allows the malware to run in memory as if it were installed locally”, – explains Patrick Wardle on his blog.

For what purpose Lazarus has acquired a new “toy”, it is not yet clear. According to Wardle, currently the remote C&C server remains online and sends a ‘0’ in response, which indicates the absence of any payload. Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. And their de facto method of infecting such targets is via fake crypto-currency company & trading applications.

[box]Perhaps the North Korean group intends to earn some more cryptocurrency for its government.[/box]

About the author

Sophia Zimmerman

High-quality tech & computer security copywriter, SEO editor & online marketing consultant

Leave a Comment