MacOS Malware Used in Operation AppleJeus

Delaware, USA – August 24, 2018 – It became known that the Lazarus group started using malware for MacOS in their campaigns. Earlier this week, researchers revealed details of the operation of DarkHotel group and Ryuk Ransomware campaign, and now researchers from Kaspersky Lab reported about the attack of the North Korean APT group on a cryptocurrency exchange, which they called Operation AppleJeus. They managed to detect infiltration into the exchange network and timely warn a company about the attack. Further investigation revealed that the attackers used Celas Trade Pro application to deliver Fallchill malware. For this, hackers created the updater module and signed it with a digital certificate of a non-existent company issued by Comodo CA. Exchange employees received phishing emails with a link to the Celas Limited webpage with download links to the application for Windows and MacOS. That page also contained information that the app for Linux is under development. After the application is installed, Updater.exe immediately starts to collect information about the system and to send it to the command and control server (www.celasllc [.] Com / checkupdate.php). At this time, it is not known whether the company’s server was compromised or the attackers created a fake company for AppleJeus operation. Updater waits for the command from the attackers, and then under the guise of an update, it downloads and installs Fallchill malware. The size of the “update” exceeds 100mb; probably this is done to bypass some security solutions and complicate downloading of the final payload to security researchers.

The Lazarus group continues conducting sophisticated attacks on financial institutions and extending their toolsets to infect various operating systems. SIEM tools can spot suspicious activity that bypasses traditional security solutions. To spot and stop APT attacks at early stages, download APT Framework rule pack for your SIEM from Threat Detection Marketplace: