North Koreans add Mac OS to cryptocurrency-stealing malware attacks

A North Korean hacking group is targeting cryptocurrency exchanges using Trojanised cryptocurrency trading software designed for both Microsoft’s Windows and Apple’s Mac OS, say researchers

The infamous North Korean Lazarus cyber crime group has resurfaced with a campaign dubbed AppleJeus designed to steal cryptocurrency.

Researchers in Kaspersky Lab’s Global Research and Analysis Team (GReAT) discovered that the group had penetrated the network of a cryptocurrency exchange in Asia.

The aim of the campaign is to steal cryptocurrency using Trojanised cryptocurrency trading software, but in addition to Windows-based malware, the researchers were able to identify a previously unknown version targeting the Mac OS platform.

This is the first case in which Kaspersky Lab researchers have observed the Lazarus group distributing malware targeting Mac OS users.

The Mac OS and Windows versions of the malware work in exactly the same way, but researchers expressed concern that Mac OS machines and users would be less prepared to deal with malware.

This development is a “wake-up call” for everyone who uses this operating system for cryptocurrency-related activity, the researchers said.

They believe copies of the malware were downloaded from a website that appeared to belong to a legitimate company that develops software for cryptocurrency trading.

The cryptocurrency trading application, called Celas Trade Pro from Celas Limited, showed no signs of malicious behaviour and looked genuine, the researchers said in a blog post.  

The software company has a valid digital certificate for signing its software and legitimate-looking registration records for the domain, but researchers could not identify any legitimate organisation located at the address used in the certificate’s information.

The application’s code also appears to be legitimate because the malicious code is sent via an updater component, which is commonly found in legitimate software to download new versions.

The malware first collects basic information about the computer it has been installed on, and if the attackers decide the computer is worth attacking, the malicious code is sent as a software update.

The malicious update installs a Trojan known as Fallchill, which the Lazarus group has used in the past and provided the first indication that the group was behind this campaign.

Read more about the Lazarus group

Upon installation, the Fallchill Trojan gives the attackers almost unlimited access to the targeted computer, allowing them to steal valuable financial information.

“We noticed a growing interest of the Lazarus group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator,” said Vitaly Kamluk, head of GReAT APAC team at Kaspersky Lab. “Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organisations.

“The fact that they developed malware to infect Mac OS users in addition to Windows users and, most likely, even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future.”

The Lazarus group, known for its sophisticated operations and links to North Korea, is noted not only for its cyber espionage and cyber sabotage attacks, but also for financially motivated attacks.

A number of researchers, including at Kaspersky Lab, have previously reported on this group targeting banks and other big financial enterprises.

The first known North Korean cryptocurrency operation was in February 2017, with the theft of $7m in cryptocurrency from South Korean exchange Bithumb.

By the end of 2017, several researchers had reported further spear phishing campaigns against South Korean cryptocurrency exchanges, numerous successful thefts, and even Bitcoin and Monero mining. 

In January 2018, researchers at security firm Recorded Future linked the Lazarus group to a spear phishing campaign targeting cryptocurrency users and exchanges in South Korea, as well as South Korean college students interested in foreign affairs.

In light of the latest findings, Kaspersky Lab researchers advise businesses to:

  • Not trust the code running on their systems, noting that neither an authentic looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors.
  • Use a robust security solution, equipped with malicious-behaviour detection technologies that enable even previously unknown threats to be caught.
  • Subscribe to a high-quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.
  • Use multi-factor authentication and hardware wallets if you are dealing with significant financial transactions. For this purpose, preferably use a standalone, isolated computer that you do not use to browse the internet or read email.

Read more on Hackers and cybercrime prevention