Lazarus Group also called as HIDDEN COBRA is a cybercrime group which is responsible for many worldwide cyber attacks. This group is now using MacOs malware and fake installer to hack cryptocurrency exchange, cyber security company Kaspersky Lab disclosed on Thursday, August 23.
The Lazarus group is responsible for “Operation Troy”, a cyber-espionage campaign that used unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. This attack took place from 2009–2012. It is not yet clear who is really behind the group, but few media reports have suggested the group is a North Korean group.
According to Kaspersky Lab, Lazarus group is the major player in the Advanced Persistent Threat world. This group is mainly involved in cyber crimes like cyberespionage, cybersabotage. It is also hacking banks and other financial companies around the world. Over the last few months, Lazarus has compromised various banks and penetrated a number of global cryptocurrency exchanges and fintech companies. While inspecting a cryptocurrency exchange hacked by Lazarus, Kaspersky Lab found that the victim had been infected by using a trojanized cryptocurrency trading application, which had been suggested to the company over email. It was further found that company’s employee had willingly downloaded a third-party application from an authorized looking website and after that their computer had been infected with malware known as Fallchill. Fallchill is an old tool that Lazarus has started using again. After that, to avoid OS blocking the hackers developed malware for other platforms like macOS. This shows that the Lazarus group is now targeting non-Windows platforms.
What is Operation AppleJeus?
Kaspersky stated that,
At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.
The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS Kaspersky decided to call this Operation AppleJeus.
Trojanized application for Windows
In this, the attackers used sophisticated technique. The trojan code was forced in the form of an update for a trading application. An authenticated and legal looking application called Celas Trade Pro from Celas Limited displayed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas. Any user could download the trading application from the Celas website. Kaspersky researchers found that the installation package downloaded from the website showed the presence of a very suspicious updater.
Windows version of the installation package:
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC
Trojanized trading program for macOS
In this case, Celas LLC also gave a local version of its trading app. A hidden “autoupdater” module is inserted in the background to work instantly after installation, and after each system reboot. It then communicates with command and control (C2) server so that it can download and run an extra executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018
Kaspersky Lab further explained that,
Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.
The trojan works similar to the Windows version. Both applications are applied using a cross-platform QT framework. After launching, the downloader makes a special identifier for the infected host using a “%09d-%06d” format string template. After that, the app gathers basic system information, which for macOS is done via dedicated QT classes.
This is not the first time that the Lazarus Group has targeted cryptocurrency exchanges – or mainly the ones on South Korea. In the past, they are known to have launched attacks on platforms such as Bithumb, YouBit, and Coinlink.