A new report revealed by digital forensics specialists claims that hackers that make up the dangerous Lazarus group are trying to inject a new fileless Trojan into victims’ devices on thousands of computers with operating system Apple macOS; to complete the attack, the hackers would be using a fake cryptocurrency exchange app.
The discovery was reported by the specialist Dinesh
Devadoss, from research and security firm K7 Computing; Devadoss in turn shared
his finding to Mac security expert Patrick Wardle, who claims to have seen
similar attacks before. According to Wardle, the 2018 malware identified as Apple.Jeus also used a cryptocurrency app to attract enthusiasts
and steal virtual assets.
To make these applications seem more reliable,
hackers resorted to a well-known trick: creating fake software companies that
use legitimate certificates. In both cases, everything points to the
perpetrators belonging to the dangerous Lazarus hacker group, mention the
digital forensics specialists.
Wardle identified this new Trojan as
OSX.AppleJeus.C, and claims it follows the same mode of operation as its
predecessor except for a new feature: running into memory as a fileless
payload. As the name suggests, fileless malware skips writing to disk to evade
detection of signature scanners, limiting its presence to main memory.
Once in memory, the malware tries to take
control of some legitimate processes on the target system, such as Windows
PowerShell and some scripting tools. In the most recent campaign, digital
forensics experts detected that the cryptocurrency app is responsible for
initiating the infection, taking Apple’s API calls to create a harmless-looking
object file image that is written to disk to generate persistence.
Thereafter, the malware can survive on main
memory, calling a remote server to receive any payload sent by the threat
actors.
Although it looks like a really dangerous
attack it depends heavily on user interaction, because for the infection to
complete the user must still ignore at least two macOS warnings:
- The
installer is not signed - The
malware installer requires the user to enter a password to gain root access
In addition, the target user is required to
install an unsigned application, which is a terrible idea for any user.
According to the digital forensics specialists
of the International Institute of Cyber Security (IICS) there are multiple
additional security tools to the macOS operating system that will help any user,
whether they’re cryptocurrency enthusiast or if they use their Apple devices
for regular tasks.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
