The North Korean linked Lazarus group has been on both government and security firms advanced persistent threat (APT) watch lists for a while now. Sometimes referred to as Hidden Cobra, particularly by the US Computer Emergency Readiness Team (US-CERT), the group has conducted many cyber espionage campaigns as well as targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. Much of the groups work targeted Windows systems and machines. However, the group is now targeting MacOS.
Lazarus Group is perhaps most well-known for the Sony Pictures hack which occurred in October 2014. The group managed to gain access to the media giant’s network and stole massive amounts of confidential data and then leaked them online. The hack was seen as retaliation to the movie The Interview starring James Franco which was seen by Lazarus group as derogatory to North Korea. The group also issued vague threats to theatres who intended to show the film. Sony canceled the release of the movie as a result of the hack and subsequent threats.
Jump back to the present day and it would appear the group is still hard at work. In what may be a first, researchers at Kaspersky Labs have detected instances of the group targeting Mac users. In a report by the Russian security firm researchers have codenamed the hack Operation AppleJeus. The hack managed to penetrate the IT systems of an Asia-based cryptocurrency exchange platform. It would appear from initial reports that the exchange suffered no immediate financial loss. The group was able to gain access to the exchange’s network via a weaponized app downloaded the employees.
According to Kaspersky, the exchange's employees downloaded an app from a legitimate-looking website that claimed to be from a company that develops cryptocurrency trading software. While the app appeared legitimate it was injected with a RAT. A remote access trojan, or RAT, is a malware program that includes a backdoor for administrative control over the target computer.
User’s infected with Fallchill
The RAT used in this campaign was analyzed by researchers and determined to be Fallchill. The RAT is known to be associated with the Lazarus Group since at least 2016 when it was deployed for the first time in live campaigns. Previously the RAT was only installed on Windows systems and this campaign continued that trend. What struck researchers was that the hackers also deployed a Mac malware strain, something they have not done before. The malware was hidden inside the Mac version of the same cryptocurrency trading software. Unfortunately for the employees at the yet to named cryptocurrency exchange the Windows and Mac malware wasn't visible inside the tainted app. Lazarus operators did not embed the malware inside the third-party app directly but merely modified its update component to download the malware at a later date.
Further, Lazarus Group signed the trojanised cryptocurrency trading software with a valid digital certificate. This enabled the malware to bypass security. There is a mystery that surrounds this digital certificate as Kaspersky’s researchers were unable to prove it ever existed at the address in the certificate's information. Bleeping Computer spoke to Vitaly Kamluk, Head of GReAT APAC at Kaspersky Lab before Kaspersky published its findings on its own blog. With regards to the certificate, Kamluk said,
"The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,”
An escalation in Cryptocurrency Exchange attacks
Since late 2017 security firms have been attempting to monitor Lazarus Group’s actions closely with regard to cryptocurrency exchanges. What many firms have noticed is an increase in attacks on such exchanges, especially those located in South Korea. It is believed that the hacks are done in order to bring in sorely needed funds into North Korea. So far several Asian cryptocurrency exchange platforms suffered security incidents, primarily exchange platforms located in South Korea. Hacks have been reported at Yapizon, YouBit, Coinrail, and Bithumb again.
In another report by TrendMicro, the details of a supply chain attack were published. The report did specify that a South Korean organization was targeted but the report never attributes the hack to North Korea, nor does it name the specific organization. There will be more than a few researchers and security experts in both the government and private firms who see this attack linked to the recent spate of cryptocurrency exchange hacks. The reason for their assumption rests with the tactics employed. Lazarus Group does favor the use of supply chain attacks to infect networks with their custom malware. The above Mac malware is an example of this. Kaspersky was quick to point out that the campaign they detected may not be related to the recent attacks in South Korea, as the exchange affected is not based in South Korea. As to whether they are related only time and many hours of research will be able to tell.
While most of us would like to know who’s responsible and what their motives are, there is something to worry about in the short term. That worry is that an APT well knew for their ability and past attacks can also target Mac users.