6 December 2019

North Korean hackers adopt a new technique to infect macOS machines


North Korean hackers adopt a new technique to infect macOS machines

The Lazarus group, which considered to be one of the North Korea's state-sponsored hacking units, has been found to be using a new piece of macOS malware that employs in-memory execution of payloads, security researchers revealed this week. According to security researcher Patrick Wardle, who has dissected the threat that was initially discovered and reported by Dinesh_Devadoss, a threat analyst from K7 Computing, the found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.

Active since at least 2009, the Lazarus group was first spotted using macOS malware in the summer 2018 and continued to target macOS users with ever evolving capabilities. Recent Lazarus’ campaigns focused on targeting users and administrators of cryptocurrency exchanges, mainly via fake cryptocurrency company and trading applications. While the new attack also targets cryptocurrency users, the group has slightly changed its classical approach to delivering malware on unsuspecting users’ machines by adopting an in-memory execution technique.

Like group’s previous campaigns, the attack begins with a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. To carry out the attack, the hackers set up a new website, unioncrypto(dot)vip, which resolves to the IP address 104.168.167.16. On the domain is hosted the malicious disk image file UnionCryptoTrader.dmg, which contains a single unsigned package named UnionCryptoTrader.pkg (which means macOS will warn the user, if they attempt to open it).

The package contained a postinstall script that installed a launch daemon. The operation requires root access, and the installer prompts the user for their credentials. The RunAtLoad key is set to “true,” which results in macOS automatically running the binary at reboot.

“Installing a launch daemon (who’s plist and binary were both stored hidden in the application’s resource directory) again matches Lazarus groups modus operandi,” Wardle said.

A more detailed technical analysis of the attack, as well as Indicators of Compromise (IoCs) related to this campaign can be found here.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024