North Korea (Lazarus Group): In 2018, Lazarus Group was linked to an operation that was dubbed “AppleJeus.” This operation was unique in the fact that it was the first time that Lazarus Group was noted targeting macOS. Recent analysis has revealed that the operation is still ongoing and has undergone significant changes. In order to continue successfully targeting macOS users, Lazarus Group has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, while keeping the next-stage payload from touching the disk. For Windows users, the group developed a multi-stage infection procedure and a different final payload. Analysis of the Windows’ payload has yet to yield information about the initial installer, but it was established that the infection was started from a malicious file named WFCUpdater.exe. At the time of the infection that revealed the details about WFCUpdater.exe, Lazarus Group was operating a fake website called wfcwallet[dot]com. It is believed that a file called Device.exe opens port 6378 but since Device.exe was unable to be captured, that has not been confirmed. The macOS malware for this campaign makes use of a fake website and application called JMTTrading. The macOS version was found to be hosted on GitHub and implements a simple backdoor function in a macOS executable. Similar to the previous version of this campaign though, the malware encrypted/decrypted with a 16-byte XOR key.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in