North Korean-linked hacking group Lazarus believed to be behind AppleJeus Mac malware

Attack on cryptocurrency exchange platform in Asia by North Korea's Lazarus Group used new Mac malware

The North Korean-linked Lazarus Group is behind the AppleJeus Mac malware used in an attack on an Asian cryptocurrency exchange.

Lazarus became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

A group calling itself Guardians of Peace - a front for Lazarus Group - claimed responsibility for the attack that crippled the company for days and enabled the group to release highly sensitive emails.

The new malicious operation was originally uncovered by Russian security company Kaspersky's Global Research and Analysis Team (GReAT) in 2017. Called AppleJeus, it helped Lazarus to penetrate the IT security of a cryptocurrency exchange platform in Asia for the purpose of theft.

In addition to Windows-based malware, the researchers identified a previously unknown version targeting MacOS.

The application's code was not suspicious, with the exception of one component - an updater

"This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets MacOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity," Kaspersky warned in a statement.

"Based on the analysis by GReAT, the penetration of the stock exchange's infrastructure began when an unsuspecting company employee downloaded a third-party application from the legitimate looking website of a company that develops software for cryptocurrency trading."

GReAT said that the application's code was not suspicious, with the exception of one component - an updater, stating that the hack was able to happen because in legitimate software, such components are there because their purpose is to download new versions of programs.

"In the case of AppleJeus, [the updater component] acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update," the team explained.

The malicious update then installs a Trojan known as Fallchill, an old tool that the Lazarus group has recently switched back to. This provided the researchers with a base for attribution.

"Upon installation, the Fallchill Trojan provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose," it added.

The situation was made worse by the fact that the criminals have developed software for both the Windows and MacOS platform, the latter of which is generally far less exposed to cyberthreats than Windows.

"The functionality of both platform versions of the malware is exactly the same."

Kaspersky's GReAT team noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator.

However, since then, they said they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organisations.

"The fact that they developed malware to infect MacOS users in addition to Windows users and - most likely - even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation," Kaspersky's Head of GReAT APAC team, Vitaly Kamluk, said.

"We should definitely expect more such cases in the near future.

"For MacOS users, this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies."

Computing's Cloud & Infrastructure Summit Live returns on Wednesday 19 September, featuring panel discussions with end-users, strategic and technical streams and a session with guest speaker Inma Martinez. The event is FREE to qualifying IT leaders and senior IT pros, but places are going fast. Register now!