Lazarus Hacking Group Targets Cryptocurrency MacOS Users

The latest Lazarus campaign was first spotted after it had compromised an Asian cryptocurrency exchange.

Computer security firm Kaspersky Lab today warned Mac users that Lazarus, a notorious hacking group allegedly operating from North Korea, has adapted its cryptocurrency-stealing malware to target Apple OS machines.

Lazarus is believed to be responsible for major online attacks, including the $80 million Bangladesh cyber bank heist and 2014’s Sony Pictures hack.

Join the iFX EXPO Asia and discover your gateway to the Asian Markets

The group has resurfaced once again with a phishing campaign called ‘AppleJeus’, which aims to plant a malware dubbed ‘Fallchill’ on macOS users’ PCs.

The malware campaign was uncovered by Kaspersky, which also noted that Lazarus is developing a version targeting Linux users. The Russian company says the latest attacks are different to other Lazarus phishing operations, using novel code to infect machines.

The newest Lazarus campaign was first spotted after it had successfully compromised an Asian cryptocurrency exchange. The researchers then discovered a Trojan-infected cryptocurrency trading app called Celas Trade Pro that was downloaded from a legitimate-looking website claiming to be Celas Limited.

Suggested articles

Why Ethereum Needs Layer 2 Solutions More Than EverGo to article >>

Once installed on the computer, the malware looks for cryptocurrency info on the system to check if it’s worth compromising, and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

Hackers Cash In on Crypo Euphoria

Kaspersky further explains: “Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”

“Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application,” Kaspersky Lab researchers note.

According to a recent Kaspersky report, the number of victims of ICO robberies exceeds 60,000, with nearly $300 million worth of Bitcoin stolen‎. Earlier this year, Kaspersky detected a new malware able to steal cryptocurrencies from users’ web wallets by replacing their address with that of its creator.

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen money. Not helping matters were previously known holes in several Bitcoin exchanges, for which Kaspersky‎ had issued patches, which made the hackers’ jobs easier.

Got a news tip? Let Us Know