Threat Watch

Lazarus Group Fileless Backdoor Found

Lazarus Group, a North Korean Advanced Persistent Threat (APT) has returned with yet another implant targeting crypto-currency exchange customers on Apple computers.  This implant, which is currently unnamed, poses as a fake crypto-currency trading platform (unioncrypto[.]vip).  Lazarus Group tricks its victims into downloading and installing this macOS backdoor, which seems to serve as a stage 1 downloader for their more nefarious stage 2 payloads.  This malware has the ability to perform in-memory execution of binaries downloaded from their fake crypto website.  This allows for the so-called “fileless” execution of malicious payloads, making the backdoor more difficult for anti-virus products to detect.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

As the persistence mechanism of this malware requires administrative privileges, be cautious about giving administrative privileges to applications downloaded from untrusted sources. Additionally, if there is no legitimate business purpose for using Crypto-currency exchange software, the safest policy is to disallow the use of Crypto-currency exchange software in the workplace.

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support