This article is more than 1 year old

Lazarus group goes back to the Apple orchard with new macOS trojan

In-memory malware a first for suspected Nork hacking crew

The Lazarus group, which has been named as one of North Korea's state-sponsored hacking teams, has been found to be using new tactics to infect macOS machines.

Dinesh_Devadoss, a threat analyst with anti-malware merchant K7 Computing, took credit for the discovery and reporting of what is believed to be the Lazarus group's first piece of in-memory malware on the Apple operating system.

In-memory infections, also known as fileless malware, operate entirely within the host machine's volatile RAM. This allows the software nasty to avoid setting off any antivirus systems that monitor files in storage or otherwise don't regularly scan all of system memory for threats

The malware sample found by Dinesh_Devadoss was dissected this week by Mac security guru Patrick Wardle, who says that the attack is a new spin on the classic Lazarus group tactic for slipping its malware onto the machines of unsuspecting users; by not installing any files during the secondary stage of the attack where the actual malicious activity occurs.

As with other infections from the Lazarus group, the attack begins as a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. This portion of the attack is similar to the previous 'applejeus' malware.

After the trojan is launched, however, the malware shows off its new trick: the secondary payload, the one where the actual spying or data theft would occur, can be performed in-memory without having to install further files on the hard drive.


Lazarus Group rises again from the digital grave with Hoplight malware for all


To do this, Wardle says, the malware first downloads and decrypts the payload, then, using macOS API calls, creates what is called an object file image. This lets the malicious package run in memory just as it would were it installed locally.

"As the layout of an in-memory process image is different from it’s on disk-in image, one cannot simply copy a file into memory and directly execute it," Wardle said. "Instead, you must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of the mapping and linking)."

So far, there is no indication as to precisely what Lazarus group plans to do with its new toy.

"At this time, while the remote command & control server remains online," Wardle explained, "it simply it responding with a '0', meaning no payload is provided."

If the history of Lazarus group is any indication, however, the malware will likely have some sort of financial or government use to help fill the North Korean regime's coffers. ®

More about


Send us news

Other stories you might like