New MacOS Fileless Malware by Lazarus Group

Delaware, USA – December 4, 2019 – One of the units of the Lazarus group continues to prepare cryptocurrency-related attacks similar to AppleJeus operation. This week security researcher Dinesh Devadoss found ‘fileless’ MacOS malware with a very low detection rate and which is capable of loading a mach-O executable file from memory and executing it. The malicious UnionCryptoTrader file is about 20MB in size and was initially detected by only 4 antiviruses on VirusTotal. Patrick Wardle, an expert in MacOS malware, analyzed the sample and found similarities to another recently discovered MacOS trojan by Lazarus group. The malicious file is not signed and is hosted on unioncrypto.vip. Despite the fact that the site offers “cryptocurrency arbitrage trading platform that monitors 4 cryptocurrency exchanges and allows to trade on the arbitrage opportunities with the use of bots”, no download links were found. It may follow that malware was detected before the attackers launched the campaign.

After execution, the malicious app runs a script that installs launch daemon for persistence and sets it to be owned by root. After that, it creates a new directory, moves the hidden binary there and executes it. The binary is capable of collecting basic system information and requests a C&C server for additional payload. The researcher failed to get samples of the final payload, but the analysis of existing files showed ‘fileless’ origin of the threat: “The memory_exec2 function invokes the Apple API NSCreateObjectFileImageFromMemory to create an“ object file image ”from a memory buffer (of a mach-O file). Following this, the NSLinkModule method is called to link the “object file image.” Finally it appears the malware resolves a symbol in the in-memory image and directly executes it. End result? Pure in-memory execution of a remotely downloaded payload.”

Lazarus group is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest in traders and exchanges is not weakening. APT Framework rule pack adds sophistication to your existing tools by leveraging the Lockheed Martin Cyber ​​kill chain to connect the dots between low-level SIEM incidents and link them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework