Researchers from the global research and analysis team of Kaspersky Lab (GReAT) have discovered AppleJeus, a new operation of the Lazarus group. Attackers entered the network of a cryptocurrency exchange house using an infected program with a Trojan. The purpose of the attack was to steal cryptocurrencies from the victims. In addition to Windows malware, researchers have been able to identify an unknown version so far, targeting the macOS platform.
This is the first case where Kaspersky Lab scientists have noticed that the famous Lazarus group has distributed malware to macOS users and is an alarm signal for anyone using this operating system for cryptocurrency-related activities.
Based on the analysis made by the GReAT team, penetration into the exchange house infrastructure began when an employee downloaded an application from a legitimate-looking site of a company that develops cryptocurrency exchange software.
The application code does not seem suspicious, except for one component, the update code. In legitimate software, such components are used to download new versions of programs. For AppleJeus, it behaves like a recognizable module: first it collects general information about the computer on which it was installed, and then sends this information to the command and control server. If the attackers decide that it deserves to be attacked, the infected code is back in the form of an update. It installs a Trojan known as Fallchill, an old instrument that the Lazarus group has recently begun to reuse. Based on that index, the researchers had a starting point in the award. At the time of installation, the Fallchill Trojan offers attackers almost unlimited access to the computer, allowing them to steal valuable financial information or launch other tools for that purpose.
Offenders have developed software for both Windows and MacOS. The latter is generally much less exposed to cyber threats than Windows. The functionality of the versions for both platforms is exactly the same.
Another unusual thing about the AppleJeus operation is that, although it seems an attack on the supply chain, it might not actually be that way. The Cryptocoin Exchange Producer that has been used to attack victims has a valid digital certificate and a domain that seems legitimate. But – at least on the basis of public information – Kaspersky Lab researchers could not identify a real organization at the address mentioned in the certificate information.
“We noticed a growing interest of the Lazarus group for cryptocurrency markets in early 2017 when the Monero cryptocoins mining software was installed on the servers of a Lazarus operator,” notes Vitaly Kamluk, Head of GReAT APAC at Kaspersky Lab. “Since then, they have been discovered several times to deal with cryptocoin exchanges, along with regular financial organizations. The fact that they have developed malware to infect macOS users besides Windows and – most likely – have created a fake software company and a product to be able to deliver this malware without being detected by security solutions, it means that I see the potential to make big gains and we have to expect other similar cases in the future. For macOS users, it’s an alarm signal, especially if they use their Macs for cryptocoin operations.”
The Lazarus Group, known for its complex attacks and ties with North Korea, has been noticed not only through spying and cyber-sabotage, but also by financially motivated attacks. Several researchers, including those from Kaspersky Lab, reported on this group targeting banks and other large financial organizations.
To protect individual users and complex cyber attack companies from groups like Lazarus, Kaspersky Lab experts recommend the following:
- Do not automatically trust the running code in the systems you own. No site that looks authentic, no serious company profile, or digital certificates does not guarantee the absence of backdoor.
- Use an effective security solution with dangerous behavior detection technologies that allow for the detection of previously unknown threats.
- Join your organization’s security team with a threat-based quality information service to get quick access to data on the latest moves on tactics, techniques and procedures of complex attackers.
- Use multi-factor authentication and hardware wallets if you make significant financial transactions. To do this, preferably use an isolated computer that you do not browse the Internet and do not read emails.