Security researchers have discovered the first-ever Mac malware deployed by Lazarus, the hacking group associated with the North Korean state.
Lazarus achieved notoriety back in 2014 when it hacked film-maker Sony Pictures over The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un. A group calling itself Guardians of Peace - a front for Lazarus Group - claimed responsibility for the attack that crippled the company for days and enabled the group to release highly sensitive emails.
The new malicious operation was originally uncovered by Russian security company Kaspersky's Global Research and Analysis Team (GReAT) in 2017. Called AppleJeus, it helped Lazarus to penetrate the IT security of a cryptocurrency exchange platform in Asia for the purpose of theft.
In addition to Windows-based malware, the researchers identified a previously unknown version targeting MacOS.
The application's code was not suspicious, with the exception of one component - an updater
"This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets MacOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity," Kaspersky warned in a statement.
"Based on the analysis by GReAT, the penetration of the stock exchange's infrastructure began when an unsuspecting company employee downloaded a third-party application from the legitimate looking website of a company that develops software for cryptocurrency trading."
GReAT said that the application's code was not suspicious, with the exception of one component - an updater, stating that the hack was able to happen because in legitimate software, such components are there because their purpose is to download new versions of programs.
"In the case of AppleJeus, [the updater component] acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update," the team explained.
The malicious update then installs a Trojan known as Fallchill, an old tool that the Lazarus group has recently switched back to. This provided the researchers with a base for attribution.
"Upon installation, the Fallchill Trojan provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose," it added.
The situation was made worse by the fact that the criminals have developed software for both the Windows and MacOS platform, the latter of which is generally far less exposed to cyberthreats than Windows.
"The functionality of both platform versions of the malware is exactly the same."
Kaspersky's GReAT team noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator.
However, since then, they said they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organisations.
"The fact that they developed malware to infect MacOS users in addition to Windows users and - most likely - even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation," Kaspersky's Head of GReAT APAC team, Vitaly Kamluk, said.
"We should definitely expect more such cases in the near future.
"For MacOS users, this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago