Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first time
Malware with polished website spotted stealing crypto-coins from traders
The malware-making gang of hackers dubbed Lazarus is said to be behind a crypto-coin-stealing nasty that infects Macs. This would be the first time this group has targeted Apple desktops.
Kaspersky Lab eggheads said today the fun-bucks generator, dubbed AppleJeus, is a port of another piece of malware Lazarus uses to commandeer Windows machines and siphon off alt-coins. The macOS strain was spotted on machines used by a cryptocurrency trading company in Asia.
Hiding itself as a legitimate piece of cryptocurrency trading software called Celas Trade Pro, AppleJeus first gathers information about the hijacked computer, and reports back to a control server. This allows the group to screen infected machines and pick out high-value targets – such as employees at currency exchanges.
If the Lazarus miscreants decide a victim's Mac is worth further attacking, another tool is pushed to the computer to swipe crypto-coins and other data. A sample of AppleJeus is available if you want to pick it apart – with care, of course.
The researchers noted that Lazarus, a hacking crew believed to have ties to North Korea, appears to have gone to great lengths to conceal the operation, including creating a valid Comodo-issued digital certificate for the software, and a professional-looking HTTPS website for the fake trading tool.
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," said Vitaly Kamluk, head of Kaspersky Lab's APAC Global Research and Analysis Team.
"For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies."
In addition to basic protections like using up-to-date antimalware applications, Kaspersky Lab recommends that users enable multifactor authentication for their cryptocurrency trading accounts and consider keeping a single-use, isolated machine to serve as a hardware wallet.
"This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems," the Kaspersky Lab researchers added.
"Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors." ®