Lazarus Hacking Group Targets Cryptocurrency MacOS Users

Computer security firm Kaspersky Lab today warned Mac users that Lazarus, a notorious hacking group allegedly operating from North Korea, has adapted its cryptocurrency-stealing malware to target Apple OS machines.

Lazarus is believed to be responsible for major online attacks, including the $80 million Bangladesh cyber bank heist and 2014’s Sony Pictures hack.

Whoa! London Summit’s new site is LIVE

The North Korea-linked Lazarus has resurfaced once again with a phishing campaign called ‘AppleJeus’, which aims to plant a malware dubbed ‘Fallchill’ on the macOS users’ PCs.

The malware campaign has been uncovered by Kaspersky, which also noted that the advanced cyber threat group is developing a version targeting Linux users. The Russia-based company says the latest attacks are different than other phishing operations by the Lazarus group and use novel code to infect machines.

The newest Lazarus campaign was first spotted after it had successfully compromised an Asian cryptocurrency exchange. The researchers then discovered a Trojanized cryptocurrency trading app called Celas Trade Pro that was downloaded from a legitimate-looking website claiming to be Celas Limited.

Once installed on the computer, the malware looks for cryptocurrency info on the system to check if it’s worth compromising and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

Hackers Cash In on Crypo Euphoria

Kaspersky further expalins: “Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”

“Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application,” Kaspersky Lab researchers note.

According to a recent Kaspersky report, the number of victims of ICOs robberies exceeded 60,000, with nearly $300 million worth of bitcoins were stolen‎. Earlier this year, Kaspersky detected a new malware able to steal cryptocurrencies from users’ web wallets by replacing their address with that of its creator.

The report goes on to say that that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen money. Not helping matters were previously known holes in several bitcoin exchanges, for which Kaspersky‎ had issued patches, which made the hackers’ jobs easier.