The Lazarus hacking group has been caught trying to sneak a new ‘fileless’ Trojan on to Apple macOS computers disguised as a fake cryptocurrency trading application.
The discovery was reported by K7 Computing’s Dinesh Devadoss to Mac security expert Patrick Wardle, who immediately spotted similarities to previous attacks.
The first of these, from 2018, was the ‘Apple.Jeus’ malware, which also used a cryptocurrency trading application to lure high-value targets in order to steal cryptocoins.
In October 2019, the hackers retuned with a new backdoor Trojan that spreads using the same approach – a cryptocurrency application posted to GitHub for victims to download.
To make the applications appear trustworthy, both campaigns used the ruse of setting up fake software companies using legitimate certificates.
Both were connected to the suspected North Korean Lazarus Group, widely blamed for big attacks such as WannaCry in 2017 and Sony Pictures in 2014.
Disappearing act
The new Trojan, tagged by Wardle as OSX.AppleJeus.C, continues in the same vein, with one interesting twist – the so-called fileless in-memory execution of a remote payload.
Although this malware starts off on disk as an installer, and some writes files to disk as part of its infection process, the final executable part of the malware is loaded directly into memory without being saved to disk first, thus its moniker ‘fileless’.
From that point on, the malware runs out of main memory, calling a remote server for whatever payload the attackers fancy serving.
Fortunately, as Wardle notes, for infection to occur the installer requires you to click through two macOS warnings – firstly, a pop up telling you that the installer is unsigned, and secondly a prompt to grant the installer root access.
It’s not certain what the attackers are trying to do with this variant, but most likely it’s the same cryptocurrency theft as previous macOS campaigns.
Should the average Apple user fear the arrival of fileless malware? Unless you’re reckless, no. Being infected requires the user to take the risk of downloading an unsigned application, and giving it administrator powers during installation.
What to do
Cybercriminals are clearly targeting cryptocurrency in a big way. Any public application used to store or trade in this area should be treated with the extreme caution.
If you think you might be infected, you can look for these two files as indicators of compromise:
- Configuration file:
/Library/LaunchDaemons/vip.unioncrypto.plist - Executable file:
/Library/UnionCrypto/unioncryptoupdater
Those files are telltale signs of infection that are created by the malware installer.
Sophos detects the malware as OSX/NukeSped-AB. If you haven’t already, download Sophos Home Free, which provides free malware protection for Macs.
Tynan Wait
Very interesting article. I have a Macbook Pro running MacOS 10.15.1 and the two steps in the “What to do” section reference UnionCrypto files that are not on my system. I have Sophos Home Premium 2.2.5 installed on that system. Are there any steps I need to take?
Paul Ducklin
The two files listed are telltales of the malware so if they aren’t there I think it’s safe to assume you aren’t infected!
(I have updated the article to make that clearer.)
Ron
Thanks for this article. It’s such a rarity when people report on malware. There’s three things I want to know first and foremost: what platform is affected, how did the infection take place, and how can you tell if your machine is affected. After that, I’m interested in the academics of how the infection works. You covered the bases nicely, thanks.
Paul Ducklin
We don’t know how the crooks disseminated the infected installer files… common methods include email attachments (the pitch might be something like “earn new cryptocoins at home, open this file to learn how!”) and poisoned websites (“the best cryptocoin wallet ever, download and try now for free, don’t miss out!”).
The infection happens if you run a booby-trapped installer, presumably by believing some cryptocoin “act now” marketing hype urging you to try it out. (You also have to agree to allow it to run despite being unsigned, and to authorise it to install with admin privileges – most installers don’t do that, although at least some well-known apps do.)
As for searching out what are known as indicators of compromise, you can follow the advice in the What to do? section above.
In this case of this particular malware, a little ‘cyberhygiene’ (such as not being too hasty to trust totally unknown new apps) should keep you safe.