Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new type of malware that poses as a legitimate trading app but is capable of wreaking havoc and goes undetected after infecting the host machine.
The perpetrators are believed to be from the Lazarus Group, a hackers collective allegedly backed by the North Korean government, known for their vicious attacks often motivated by financial objectives.
Lazarus Group Malware Targets MacOS
According to the GReAT, the new malware was built exclusively for the macOS, and it targets cryptocurrency exchanges. Notably, this appears to be the first-ever time when the Lazarus Group has designed a malware meant for the macOS ecosystem, which can be deciphered as a sign that the group is now moving on to a broader range of target platforms.
GreAT also believes that there is a Linux variant of the macOS malware, dubbed AppleJeus, which would mean the group is building different variants of its malware for different operating systems in the hope that it will prevent operating systems from interfering with the intended targets.
The researchers noted that this should be treated as a wake-up call for all non-Windows platforms — be it macOS, Linux, or any other OS.
Malware Comes From a Verified App Publisher
The most worrying aspect about the AppleJeus malware is that it piggybacks on a legit-looking cryptocurrency trading application called Celas Trade Pro. The publisher of the app has a valid digital certificate and seemingly legit domain registration records.
However, upon researching more profoundly, the Kaspersky researchers found that the business address mentioned on the digital certificate was bogus.
“When you start looking at bits and pieces behind the application, even that starts looking more and more illegitimate,” says principal security researcher at Kaspersky, Kurt Baumgartner.
No doubt, this discovery is pretty troublesome considering that it is almost impossible for a regular user to detect malware if they are pushed through apps with valid digital certificates.
How Does Operation AppleJeus Infect Targets?
Kaspersky’s GreAT unit spotted the so-called Operation AppleJeus during their investigation of a breach in a cryptocurrency exchange. Upon further analysis, they were able to figure the malware’s modus operandi.
As previously stated, the AppleJeus malware piggybacks on a legit-looking crypto trading app Celas Trade Pro. Once an unsuspecting user downloads and installs the macOS-only app, it unleashes a hidden “auto-updater” module in the background.
In a standard app, the auto-updater is designed to find and install newer versions of the app without requiring mandatory user engagement. But in the case of Celas Trade Pro, the auto-updater starts collecting information about the host machine soon after its activation.
It then sends all the information gathered from the now-infected host machine to a command-and-control (C&C) server so the perpetrators can analyze the data. If the hackers decide that the infected computer is worth targeting, they will direct the app to install another updated called FallChill, which is a nasty Trojan.
Once installed, the FallChill trojan facilitates a practically limitless remote access to the infected machine, which the attackers can exploit to steal sensitive financial data (or any data they want).