NK hackers target Mac users with trojan cryptocurrency app

  • Liam Tung (CSO Online)
  • 24 August, 2018 08:59

The first malware for Mac systems developed by infamous North Korean hacking group Lazarus has been discovered. 

Researchers have fingered the Lazarus group for the destructive attack on Sony Pictures in 2014, as well as more recent financially-motivated attacks on South Korean cryptocurrency exchanges, a spate of targeted ransomware attacks on corporations in the US and Europe, and multiple raids on banks through the industry’s SWIFT system.      

All of those attacks have targeted Windows systems, however researchers at Kaspersky Lab have found the group’s first known malware targeting Apple macOS computers in the form of a hidden software updater for a seemingly bonafide app aimed at cryptocurrency traders called Celas Trade Pro.    

But software was fake and the company behind it appears to have been bogus too, according to Kaspersky researchers. 

The macOS malware was discovered while the company was investigating a breach at an unnamed Asian cryptocurrency exchange that its researchers believe was compromised by one of Lazarus’ malware tools called Fallchill, a remote access tool that US-CERT has filed under its investigation into North Korea’s Hidden Cobra hacking activity.   

Using a trojanized software updater for an application relevant to cryptocurrency trading was a notable difference to fake Flash Player updates spread through malicious ads aimed at the masses. 

In this case, the hackers appear to have only wanted to snag people keen on installing cryptocurrency trading software, in this case Celas Trade Pro from a company claiming to be Celas LLC. 

“Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application,” Kaspersky Lab researchers note.

Celas Trade Pro didn’t display malicious behavior and looked like a genuine cryptocurrency trading program developed by Celas, and was seemingly verified with a legitimate-looking digital certificate.  

However the researchers found that the macOS installer includes a module that persists after a reboot and contacts a remote server to install more malware.  

The malicious Celas Mac software was offered alongside a Windows executable that displayed the same behavior as the Mac malware. The site also flagged a Linux update was “coming soon”.

“The fact that [the attackers] developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” Vitaly Kamluk of Kaspersky Lab said in a statement. 

“For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.”