Lazarus Group, a North Korean Advanced Persistent Threat (APT) has returned with yet another implant targeting crypto-currency exchange customers on Apple computers. This implant, which is currently unnamed, poses as a fake crypto-currency trading platform (unioncrypto[.]vip). Lazarus Group tricks its victims into downloading and installing this macOS backdoor, which seems to serve as a stage 1 downloader for their more nefarious stage 2 payloads. This malware has the ability to perform in-memory execution of binaries downloaded from their fake crypto website. This allows for the so-called “fileless” execution of malicious payloads, making the backdoor more difficult for anti-virus products to detect.
Analyst Notes
As the persistence mechanism of this malware requires administrative privileges, be cautious about giving administrative privileges to applications downloaded from untrusted sources. Additionally, if there is no legitimate business purpose for using Crypto-currency exchange software, the safest policy is to disallow the use of Crypto-currency exchange software in the workplace.