Lazarus group goes back to the Apple orchard with new macOS trojan

In-memory malware a first for suspected Nork hacking crew

The Lazarus group, which has been named as one of North Korea's state-sponsored hacking teams, has been found to be using new tactics to infect macOS machines.

Dinesh_Devadoss, a threat analyst with anti-malware merchant K7 Computing, took credit for the discovery and reporting of what is believed to be the Lazarus group's first piece of in-memory malware on the Apple operating system.

In-memory infections, also known as fileless malware, operate entirely within the host machine's volatile RAM. This allows the software nasty to avoid setting off any antivirus systems that monitor files in storage or otherwise don't regularly scan all of system memory for threats

The malware sample found by Dinesh_Devadoss was dissected this week by Mac security guru Patrick Wardle, who says that the attack is a new spin on the classic Lazarus group tactic for slipping its malware onto the machines of unsuspecting users; by not installing any files during the secondary stage of the attack where the actual malicious activity occurs.

As with other infections from the Lazarus group, the attack begins as a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. This portion of the attack is similar to the previous 'applejeus' malware.

After the trojan is launched, however, the malware shows off its new trick: the secondary payload, the one where the actual spying or data theft would occur, can be performed in-memory without having to install further files on the hard drive.


Lazarus Group rises again from the digital grave with Hoplight malware for all


To do this, Wardle says, the malware first downloads and decrypts the payload, then, using macOS API calls, creates what is called an object file image. This lets the malicious package run in memory just as it would were it installed locally.

"As the layout of an in-memory process image is different from it’s on disk-in image, one cannot simply copy a file into memory and directly execute it," Wardle said. "Instead, you must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of the mapping and linking)."

So far, there is no indication as to precisely what Lazarus group plans to do with its new toy.

"At this time, while the remote command & control server remains online," Wardle explained, "it simply it responding with a '0', meaning no payload is provided."

If the history of Lazarus group is any indication, however, the malware will likely have some sort of financial or government use to help fill the North Korean regime's coffers. ®

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022