Bitcoin, Blockchain & Cryptocurrency News

Cryptocurrency Malware by North Korean Hackers Is Targeting MacOS Machines

Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new type of malware that poses as a legitimate trading app but is capable of wreaking havoc and goes undetected after infecting the host machine.

The perpetrators are believed to be from the Lazarus Group, a hackers collective allegedly backed by the North Korean government, known for their vicious attacks often motivated by financial objectives.

Lazarus Group Malware Targets MacOS

According to the GReAT, the new malware was built exclusively for the macOS, and it targets cryptocurrency exchanges. Notably, this appears to be the first-ever time when the Lazarus Group has designed a malware meant for the macOS ecosystem, which can be deciphered as a sign that the group is now moving on to a broader range of target platforms.

GreAT also believes that there is a Linux variant of the macOS malware, dubbed AppleJeus, which would mean the group is building different variants of its malware for different operating systems in the hope that it will prevent operating systems from interfering with the intended targets.

The researchers noted that this should be treated as a wake-up call for all non-Windows platforms — be it macOS, Linux, or any other OS.

Malware Comes From a Verified App Publisher

The most worrying aspect about the AppleJeus malware is that it piggybacks on a legit-looking cryptocurrency trading application called Celas Trade Pro. The publisher of the app has a valid digital certificate and seemingly legit domain registration records.

However, upon researching more profoundly, the Kaspersky researchers found that the business address mentioned on the digital certificate was bogus.

“When you start looking at bits and pieces behind the application, even that starts looking more and more illegitimate,” says principal security researcher at Kaspersky, Kurt Baumgartner.

No doubt, this discovery is pretty troublesome considering that it is almost impossible for a regular user to detect malware if they are pushed through apps with valid digital certificates.

How Does Operation AppleJeus Infect Targets?

Kaspersky’s GreAT unit spotted the so-called Operation AppleJeus during their investigation of a breach in a cryptocurrency exchange. Upon further analysis, they were able to figure the malware’s modus operandi.

As previously stated, the AppleJeus malware piggybacks on a legit-looking crypto trading app Celas Trade Pro. Once an unsuspecting user downloads and installs the macOS-only app, it unleashes a hidden “auto-updater” module in the background.

In a standard app, the auto-updater is designed to find and install newer versions of the app without requiring mandatory user engagement. But in the case of Celas Trade Pro, the auto-updater starts collecting information about the host machine soon after its activation.

It then sends all the information gathered from the now-infected host machine to a command-and-control (C&C) server so the perpetrators can analyze the data. If the hackers decide that the infected computer is worth targeting, they will direct the app to install another updated called FallChill, which is a nasty Trojan.

Once installed, the FallChill trojan facilitates a practically limitless remote access to the infected machine, which the attackers can exploit to steal sensitive financial data (or any data they want).

Published by
Priyeshu Garg

Recent Posts

Kazakhstan to Reportedly Let Banks Open Cryptocurrency Accounts

The government of Kazakhstan would soon reportedly allow financial institutions to offer banking services to…

8 hours ago

Privacy-Threatening Flaw Discovered in Monero’s (XMR) Wallet Code

An investigation by Justin Berman, a software developer interested in the "intersection of finance and…

12 hours ago

What Are Hyper-Deflationary Tokens and How to Trade Them Effectively?

With the inception of blockchain technology, a lot of its subcomponents and use-cases came into…

13 hours ago

Dexlab Unveils MintingLab, a Solana-based Token Minting and Management Platform

Dexlab, an integrated decentralized exchange (DEX) that enables developers to issue Solana-based tokens without coding…

14 hours ago

Aave (AAVE) Rebrands Its Institutional-Grade DeFi Offering to Aave Arc

Leading DeFi lending and borrowing protocol Aave announced a rebranding to its institutional-grade DeFi offering.…

14 hours ago

Bybit Contributes $19.3 Million to Peter Thiel-backed BitDAO

Bybit, one of the world's largest cryptocurrency derivatives trading platforms, has contributed $19.3 million in…

15 hours ago

This website uses cookies.