Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

MacOS

8/28/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Lazarus Takes Aim at macOS in Cryptocurrency Campaign

Kaspersky researchers said users of Apple and Linux systems should see the AppleJesus campaign as a warning not to get lax in their cybersecurity efforts.

The notorious Lazarus cybercriminal organization, long suspected of being sponsored by North Korea, is back with another campaign that reuses an older malware tool but expands the group's reach beyond just Windows systems and into machines running Apple's macOS operating system, according to researchers with Kaspersky Lab.

The campaign, which the analysts have dubbed "AppleJesus," would be the first time that Lazarus was seen targeting macOS systems. There also is a version of the Trojan malware for Windows machines, and according to Kurt Baumgartner, principal security researcher at Kaspersky, there is another version for Linux systems in the works.

The AppleJesus campaign should serve as a warning to users of Linux and Apple systems that they can't get lax in their security efforts simply because Windows remain the top target of threat actors, Bumgartner told Security Now in an email.

"We have seen multiple other Russian-speaking, Chinese-speaking, and other APT [advanced persistent threat] targeting macOS and iOS, in some cases for years now," he said. "Clearly, there is interest in developing and maintaining MacOS and iOS implants from groups like these, but still not with the same intensity and focus as Windows malware. MacOS users can't blindly trust software and install it. The attackers stated that a variant supporting Linux will be 'coming soon,' and we have to restate the same message to Linux users as well -- you cannot blindly trust software, even when it appears to come from a legitimate source."

According to the Kaspersky researchers, the AppleJesus malware fits in with past efforts by Lazarus to operate campaigns to steal money. The highly active group -- which also has run cyberespionage and cyberstabotage campaigns -- has targeted financial institutions. In the past several months, it has attacked several banks, financial tech companies and global cryptocurrency exchanges, they said. (See North Korea Stole 'Billions' in Cryptocurrency Heist, Official Claims.)

In this case, Kaspersky analysts discovered AppleJesus while investigating an attack on a cryptocurrency exchange in Asia. The exchange was infected via a malicious cryptocurrency trading application that came to the company through a recommendation over email.

"It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to," the analysts said in a blog post.

The appearance of FallChill gave researchers the ability to point attribution for the attack at Lazarus. Reuse of code by cybercriminals is not uncommon, and there had been a number of reports -- including an alert from US-CERT -- that Fallchill was back in use. A recent report by researchers at McAfee and Intezer found high rates of code re-use among threat groups linked with North Korea. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)

The threat actors invested a lot of time and effort to hide the trojanized malware from security systems, the Kaspersky analysts wrote. Rather than simply putting malicious code into distributed software that was then put onto a website, the attackers created a legitimate-looking application called Celas Trade Pro that came from a company called Celas Ltd. The application, which Kaspersky described as an all-in-one style cryptocurrency trading program developed by Celas, didn't indicate malicious behavior.

However, when the software is downloaded, it comes with an updater that is installed. In legitimate software, updaters are used to download new versions of the program. In AppleJesus, the updater runs a reconnaissance mission, collecting information about the victim's system. The data is sent back to a command-and-control server, which determines whether the system is worth attack. If so, the malicious code comes back to the system as a software update, which is when Fallchill is installed.

With Fallchill in place, the Trojan gives the attackers essentially unlimited access to the system, enabling them to steal financial information or to deploy more tools to get that job done. The functionality of the Trojan is exactly the same for both Windows and macOS systems.

The Celas Trade Pro application and the Celas website look legitimate and come with a valid SSL digital certificate for signing software and seemingly legitimate domain registration records. However, Kaspersky analysts couldn't find a legitimate business using the address given on the certificate.

"We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism," they wrote in the blog. "However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a 'legitimate looking' software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?"

Baumgartner told Security Now that there are "many data points" to support the hypothesis that Lazarus created Celas, even if researchers can't say it with 100% certainty.

"Lazarus would not be the first APT to go to greater lengths spoofing legitimate businesses to support their own efforts," he said. "These Lazarus efforts are an ongoing extension to steal large amounts of cryptocurrency and cash from cryptocurrency exchanges and traders, banks and casinos."

Kaspersky researchers said there are a number of steps businesses should take to protect themselves against attacks like AppleJesus, including using security solutions that include malicious-behavior detection capabilities, subscribing to a threat intelligence reporting service and using multi-factor authentication and hardware wallets if dealing with significant financial transactions.

In addition, organizations should not automatically trust the code running on their systems. As AppleJesus shows, an authentic-looking website, a legitimate-looking company profile and digital certificates aren't guarantees against backdoors, they said.

Related posts:

— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...