If you have installed a program called JMT Trader to facilitate cryptocurrency trades you got far more than you bargained for. Last week the MalwarehunterTeam discovered a scam developed to distribute malware to both Mac and Windows machines. The scammer created a fake company to distribute a free cryptocurrency trading platform called JMT Trader. Once installed the trading platform would further install a backdoor trojan onto the machine.
Central to the scam is the website created by the attacker. It looks like any professionally done website, hoping to trick people who landed on it into downloading the free program the “company” offers. To further trick users and give the fake company some more legitimacy, the attackers also created a Twitter account, but have done little to maintain it or make it appear active. The last tweet on the account dates back to June 2019. If the user is looking to download the trading platform they are redirected to a GitHub repository where both Mac and Windows executables can be downloaded. The repository also contains the source code to the platform for those wishing to compile the code for Linux. At this stage, nothing appears to suggest any malware or malicious intent on the behalf of the attacker.
Even once downloaded and installed the user of the platform will notice nothing inherently wrong with the program. The platform does allow the user to legitimately trade cryptocurrencies. That is because the program is a clone of another trading platform called QT Bitcoin Trader. All is well and good, the user can now trade cryptocurrencies just as they intended and the company promised. Upon installation is where the true intentions of the attacker surface. Once installed the installer will extract a second file, a program called CrashReporter.exe and save it to the %AppData%\JMTTrader folder. This program, rather than being the crash reporting feature it advertises itself to be is the trojan component. At the time of writing VirusTotal confirmed that 29 out of 69 malware engines were detecting the program as malware. A significant improvement over the 5 detections on October 12 but still less than half.
CrashReporter.exe has been analyzed by security researcher Vitali Kremez who found that the program creates a scheduled task which launches the “reporter” every time the user logs on. Further, when the CrashReporter.exe executable is launched, it will connect back to a command and control server belonging to the attacker to receive commands which are then executed by the backdoor. As to the exact goal of the malware, little is known. It may either be running simply as a backdoor to distribute other malware strains in the future or maybe actively stealing cryptocurrency wallets or exchange logins. Regardless, if you have installed the trading platform it is advised you search your computer thoroughly and remove %AppData%\JMTTrader\CrashReporter.exe if found.
AppleJeus and Lazarus
Upon analysis, MalwareHunter Team noticed that the backdoor was incredibly similar to one believed to be used by the North Korean APT group Lazarus who have been known to target Mac machines as well as their Windows counterparts. Codenamed AppleJeus, it was also spread via a supposed cryptocurrency trading platform. An incident discovered in August 2018 by Kaspersky Labs led to the analysis of the backdoor tool as well as who was behind the distribution of the malware.
The incident occurred as a result of an employee of a cryptocurrency exchange mistakenly downloaded a trojanized cryptocurrency trading application. Like with the most recent trojan AppleJeus also targeted Mac machines with the fake platform been called Celas Trade Pro. In this instance rather than a bogus crash reporting feature, the trojan was downloaded and installed as a bogus auto-updater which was programmed to start immediately after installation and upon reboot. The malware would run in the background hopefully hidden for as long as possible. The trojan would communicate to the command and control server and could further run additional executables from the server. While both attacks are different they are only different in terms of fake companies and file names. The tactics used are remarkably similar, something the MalwareHunter Team was quick to notice.
Kaspersky, in providing evidence as to the link between AppleJeus and Lazarus, noted that,
“Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate-looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.”
Kaspersky’s conclusion on the incident should be seen as a warning to Mac users, both in personal and professional use. Researchers noted,
“First of all, the Lazarus group has entered a new platform: macOS. There is a steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform because compromising developers opens many doors at once.”
Both incidents are a reminder not to trust third-party software automatically. Users, whether on Mac or Windows machines, it is advised that users do some research first to see whether the application is indeed legitimate before installation. When in doubt rather err on the side of caution.