Tue. May 26th, 2020

Lazarus APT Targets macOS Users With Sophisticated New Malware

Mac users beware: researchers have discovered a new stealthy trojan that poses as a cryptocurrency trading platform.


Security researcher, Dinesh Devadoss, discovered the trojan, which disguises itself as a crypto-trading platform called Union Crypto trader. Even worse, the malware can evade most anti-virus software.


In a tweet, Devadoss posted a hash for the trojan.


MacOS security researcher, Patrick Wardle, also analyzed the malware and linked it to the infamous Lazarus hacking group.


In a blog post he said:

“Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. And their de facto method of infecting such targets is via fake crypto-currency company and trading applications.”


Even more, Wardle says the “fileless” trojan carries out a “pure in-memory execution of a remotely downloaded payload,” which is similar to previous Lazarus campaigns.


Wardle also notes that the group seems to be honing its skills because “this (new) sample contains rather sophisticated capabilities, which I’ve never seen before in (public) macOS malware.”


In the same post, Wardle dissects the malware step-by-step step to show how it can remotely download and execute payloads directly from memory on macOS, for a full break down, click here.