Hacker Group Develops New Malware for macOS Devices

North Korea is up to no good once again, and this time, the country seems to be turning to its dirty crypto tricks in a bid to terrorize the crypto space once more.

On October 12, Patrick Wardie, a Principal Security Researcher at cybersecurity firm Jamf and security specialist on Apple Mac computers, published a blog post which outlined that the Lazarus APT Group, a notorious hacking firm which has close ties to Pyongyang, has created a separate malware which seems to be targeting Apple MAC computers.

The malware was first discovered by Internet security firm MalwareHunterTeam on October 11. Giving further details in his blog post, Wardie provided more insights into the nature of the security threat.

The .dmg for Mac (with the malware in it), and the malware alone are both on VT for more than a month, but still 0 detections when last scanned. pic.twitter.com/4ag4WtX1Do

— MalwareHunterTeam (@malwrhunterteam) October 11, 2019

Hiding in Plain Sight

Wardie and MHT warned Apple Mac users that at the time of their publications, no threat detection tools on VirusTotal had detected the threat. 

However, it also appeared to have been strikingly similar to a strain of Mac-targeted malware that the Lazarus Group created earlier. Known as Operation Applejeus, the previous tool was brought to light by Internet security giant Kaspersky Labs in the summer of 2018. 

Just as it is with Operation Applejeus, the new malware works by hiding in plain sight. According to Wardie, the hackers set up a bogus cryptocurrency firm known as JMT Trading, which serves as a front for them to orchestrate their attacks. The hackers reportedly concealed the malware in the design codes used in the crypto trading app. After that, they uploaded the code on GitHub, so anyone who downloads it will automatically be infected.

Wardie also touched on the installation process that comes with the app, and he identified Daemon, a suspicious package, concealed within it. The Daemon package is a malicious backdoor script, and while it can provide a remote hacker with total control over a system running on macOS, Wardie noted that it could easily be detected by manual detection processes and open-source security infrastructure. 

Still, he reiterated that no tool on VirusTotal could currently identify the threat. In its blog post, Wardie opined that the hackers would most likely be targeting employees of cryptocurrency exchanges, not everyday traders or retail investors.  

The Deadly Lazarus Group Lives On

This isn’t the first time that North Korea or the Lazarus Group would set up to conduct cryptocurrency-related hacks. The Lazarus Group achieved infamy after it became linked with the hack of South Korean cryptocurrency Coincheck, a hack that saw the exchange lose up to $532 million in NEM tokens. 

However, the firm has also been said to be innovating. On March 26, 2019, Kaspersky Labs published a report which outlined that the group has been adopting new methods in its hacking exploits, including but not limited to operations that allow them to control Windows and macOS devices. 

Kaspersky also identified misrepresentation as a major tactic of the group, claiming that they now use bogus WordPress files and open-source projects to lure developers into downloading their malicious code. Once these files are downloaded, it’s game on.

As for North Korea, all of this is good news to their ears, especially given that the proceeds of the group’s hacks have reportedly been going to the government and its weapons program. Pyongyang has vehemently denied this, but the links between it and the Lazarus Group remain rather damning.