Researchers discovered a new kind of “Fileless Malware” distributed by the infamous Lazarus APT Hackers Group. According to a security researcher from K7 Labs, the hacking group was spreading malware targeting MacOS users, to create fake cryptocurrency trading applications.
The researcher stated that the hacking group was targeting several cryptocurrency trading applications by trojanising a Mac application to steal cryptocurrency.
Malware Infection Process
According to researcher, the attackers infect a backdoor resource directory of an open-source trading application and leverage the post-install script to trigger their backdoor via a legitimate installation process. Once infected, the malware collects the Mac’s serial number and OS information and transfers this data to attackers.
“Lazarus has been targeting many cryptocurrency exchanges using malicious trading applications. Their usual method of trojanising a Mac application is quite simple. The threat actors place their backdoor and its persistence file in the resource directory of an open-source trading application, and then leverage the post-install script to trigger their backdoor. The post-install script present within the application installer package is usually meant to aid the legitimate installation process, but is abused by Lazarus to execute their backdoor,” the researcher said in a post.
The researcher also discovered a trojanized version of UnionCryptoTrader.dmg file, which is a container of the cryptocurrency trading application. It’s believed the campaign could have been active since June 2019.
Lazarus Group was involved in various cyber-attacks that were reported earlier. The group is repeatedly trying to find a way into cryptocurrency funds. In 2018, Kaspersky Lab uncovered AppleJeus, a malicious operation by Lazarus Group to intrude on cryptocurrency exchanges and applications.
According to an official report, Kaspersky Lab’s Global Research and Analysis Team (GReAT) discovered the unusual activity of attackers who penetrated the network of an Asia-based cryptocurrency exchange using trojanized trading software to steal cryptocurrencies.
Kaspersky stated the incident occurred after an employee downloaded a cryptocurrency application from a look-alike website of a company that is dedicated to crypto trading. The malicious update installs a Trojan known as Fallchill that provides hackers unlimited access to the compromised computer network system, allowing them to steal sensitive information or to deploy other viruses for exploitation.