Hackers from North Korea could be behind a newly discovered malware-spreading cryptocurrency trading site that would infect macOS users if they downloaded a supposed arbitrage platform.
The malware was first spotted by security researcher Dinesh Devadoss, who tweeted out the discovery. Bleeping Computer picked up on it and found that the malware went nearly undetected on most virus detection engines, with only five of those tested finding it.
Another #Lazarus #macOS #trojan
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
— Dinesh_Devadoss (@dineshdina04) December 3, 2019
The malware, according to security researchers, was designed to retrieve a payload from a remote server and run it in the memory of the victims’ machines, which makes it harder for researcher to analyze it.
The malicious files, however, have no certificate and as such raise an alert from macOS itself. Moreover, the remote server doesn’t appear to be active as it doesn’t distribute the payload. This could mean the hackers used the website to test out potential attacks, or that the malware was discovered before they were ready to spread it.
Another security researcher, Patrick Wardle, noted there were “clear overlaps” between the malware found on the supposed cryptocurrency exchange “unioncrypto.vip,” and other types of malware attributed to Lazarus, a well-known North Korean hacking group.
As CryptoGlobe reported, Lazarus is believed to have managed to steal $882 million worth of cryptoasset since 2017, making it the “most successful” cryptocurrency hacking organization ever. In 2018 alone, the group stole over $570 million worth of cryptoassets, as they are believed to be behind high-profile hacks to Asian crypto exchanges.
A report from March of this year from cybersecurity firm Kaspersky pointed out that Lazarus had an ongoing campaign targeting cryptocurrency firms with malicious documents that could downloads and install malware on victims’ devices.
According to a UN Panel the Lazarus group’s goal is to help North Korea bypass sanctions. South Korea, as reported, has directly accused Pyongyang of stealing millions from its cryptocurrency exchanges, with investigations going into whether Lazarus was involved in the theft of $530 million worth of NEM from Coincheck.
Featured image via Pixabay.