Lazarus Group Fileless Backdoor Found - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Lazarus Group Fileless Backdoor Found

Lazarus Group, a North Korean Advanced Persistent Threat (APT) has returned with yet another implant targeting crypto-currency exchange customers on Apple computers.  This implant, which is currently unnamed, poses as a fake crypto-currency trading platform (unioncrypto[.]vip).  Lazarus Group tricks its victims into downloading and installing this macOS backdoor, which seems to serve as a stage 1 downloader for their more nefarious stage 2 payloads.  This malware has the ability to perform in-memory execution of binaries downloaded from their fake crypto website.  This allows for the so-called “fileless” execution of malicious payloads, making the backdoor more difficult for anti-virus products to detect.

ANALYST NOTES

As the persistence mechanism of this malware requires administrative privileges, be cautious about giving administrative privileges to applications downloaded from untrusted sources. Additionally, if there is no legitimate business purpose for using Crypto-currency exchange software, the safest policy is to disallow the use of Crypto-currency exchange software in the workplace.

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.