In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.
Active since at least 2009 and supposedly backed by the North Korean government, Lazarus is considered the most serious threat to banks. The group is said to have orchestrated a large number of high profile attacks, including the Sony hack in 2014 and last year’s WannaCry outbreak.
In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges. In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware.
What made this attack stand out compared to other Lazarus-linked incidents, however, was the fact that the attackers designed their malware to target macOS too, in addition to Windows. This is the first time Lazarus is observed using malware for Apple’s operating system, Kaspersky says.
“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the security firm points out.
The malicious code, however, wasn’t delivered alongside the application’s installation package. Instead, it was pushed to the target machine in the form of an update, Kaspersky’s security researchers have discovered.
The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. An all-in-one style cryptocurrency trading program, it showed no signs of malicious behavior at first.
However, at the end of the installation process, it was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image.
Based on the server’s response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.
“For macOS users, Celas LLC also provided a native version of its trading app. A hidden ‘autoupdater’ module is installed in the background to start immediately after installation, and after each system reboot,” Kaspersky explains.
The module would continuously contact the command and control (C&C) server to fetch and run an additional executable file. The communication with the server is performed in a manner similar to that employed by the Windows version, with the system information being sent encrypted, disguised as an image file upload and download.
The Updater application is unlisted in the Finder app or default Terminal directory listing and is passed the command-line argument “CheckUpdate” at launch. Apparently, the application quits if no argument is fed, likely a way to trick detection by sandboxes.
The updater works the same as the Windows variant, both being implemented using the cross-platform Qt framework. At execution, it creates a unique identifier for the infected host, collects basic system information, then encrypts the data and transfers it to the attacker’s server.
The dropped executable file has an unusually large size, likely because it was inflated with junk data. The main purpose of the malware is to implant the Fallchill backdoor loader onto the compromised machine.
The Fallchill backdoor is a piece of malware formerly attributed to the Lazarus group that contains “enough functions to fully control the infected host,” Kaspersky points out. The malware operators appear to be reusing code and C&C infrastructure over and over again, the security firm also notes.
“Lazarus group has entered a new platform: macOS. […] We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once,” Kaspersky says.
What is yet unclear, however, is whether Lazarus was able to compromise Celas and abuse its update mechanism to deliver malware, or if the hackers managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” thus creating a fake supply chain.