Lazarus Group also called as HIDDEN COBRA is a cybercrime group which is responsible for many worldwide cyber attacks. This group is now using MacOs malware and fake installer to hack cryptocurrency exchange, cyber security company Kaspersky Lab disclosed on Thursday, August 23.
The Lazarus group is responsible for “Operation Troy”, a cyber-espionage campaign that used unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. This attack took place from 2009–2012. It is not yet clear who is really behind the group, but few media reports have suggested the group is a North Korean group.
According to Kaspersky Lab, Lazarus group is the major player in the Advanced Persistent Threat world. This group is mainly involved in cyber crimes like cyberespionage, cybersabotage. It is also hacking banks and other financial companies around the world. Over the last few months, Lazarus has compromised various banks and penetrated a number of global cryptocurrency exchanges and fintech companies. While inspecting a cryptocurrency exchange hacked by Lazarus, Kaspersky Lab found that the victim had been infected by using a trojanized cryptocurrency trading application, which had been suggested to the company over email. It was further found that company’s employee had willingly downloaded a third-party application from an authorized looking website and after that their computer had been infected with malware known as Fallchill. Fallchill is an old tool that Lazarus has started using again. After that, to avoid OS blocking the hackers developed malware for other platforms like macOS. This shows that the Lazarus group is now targeting non-Windows platforms.
What is Operation AppleJeus?
Kaspersky stated that,
At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.
The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS Kaspersky decided to call this Operation AppleJeus.
Trojanized application for Windows
In this, the attackers used sophisticated technique. The trojan code was forced in the form of an update for a trading application. An authenticated and legal looking application called Celas Trade Pro from Celas Limited displayed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas. Any user could download the trading application from the Celas website. Kaspersky researchers found that the installation package downloaded from the website showed the presence of a very suspicious updater.
Windows version of the installation package:
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC
Trojanized trading program for macOS
In this case, Celas LLC also gave a local version of its trading app. A hidden “autoupdater” module is inserted in the background to work instantly after installation, and after each system reboot. It then communicates with command and control (C2) server so that it can download and run an extra executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018
Kaspersky Lab further explained that,
Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.
The trojan works similar to the Windows version. Both applications are applied using a cross-platform QT framework. After launching, the downloader makes a special identifier for the infected host using a “%09d-%06d” format string template. After that, the app gathers basic system information, which for macOS is done via dedicated QT classes.
This is not the first time that the Lazarus Group has targeted cryptocurrency exchanges – or mainly the ones on South Korea. In the past, they are known to have launched attacks on platforms such as Bithumb, YouBit, and Coinlink.
- PEPE Coin Price to Reach $5 in the Next Seven Days?
- Hacking Group Lazarus Stole $571 Million in Cryptocurrency
- CoinTicker Crypto Tracking App Installs Backdoors On Mac Computers
- Shiba Inu Price Prediction: How High can SHIB Price reach by 2030?
- What is Lost Relics Crypto and How to Get Started?
- Crypto Malware found in Adobe Flash Player Updates
- Telegram Zero-Day Vulnerability Used By Hackers To Spread Cryptocurrency Miner.
- Telecom Egypt is Secretly Redirecting Egyptian Internet Users to Mine Cryptocurrency
- Has Your Computer Been Cryptojacked?
- Which Monero Wallet to use?
- Hacking vulnerability influences the crypto-sphere in the Korean Peninsula
- UN Panel: North Korea Hacking Crypto Exchanges to Avoid Sanctions
- SFF x SWITCH 2020 Kicks Off with a Live Global Audience
- Malware attacks SCADA network to mine cryptocurrency
- How To Protect Your Cryptocurrency Against Hackers?
- Built On Ethereum – Raiden Network Gets The Alderaan Mainnet Release
- Norton Crypto: is it a Good Mining Alternative in 2022?
You might also like
More from Blockchain For Dummies
This comprehensive guide delves into the aspects of Web3 security, offering in-depth insights for safely navigating this world.
eToro is a social trading and multi-asset brokerage company that focuses on providing financial and copy trading services.