Hackers from the Lazarus group are attacking macOS users

Researchers have discovered a series of attacks by the Lazarus organization, which attacks cryptocurrency exchanges by distributing malware to macOS users. According to Kaspersky Lab, a network of cryptocurrency platforms based in Asia was infected with the Lazarus Trojan, which led to the spread of malware to computers running Windows and macOS operating systems.

The team says that the Trojan, which was previously associated only with Windows computer viruses, is now targeting macOS users to steal cryptocurrency. This is the first time that Lazarus, which is believed to be a state-sponsored North Korean rogue group, has managed to distribute malware to Mac computers. Previously, the Lazarus group attacked South Korean research centers and other political organizations using unpatched Windows vulnerabilities. Although scammers have simply rewritten old code to create new attacks, they should not be underestimated.

Hackers have already carried out several attacks on cryptocurrency exchanges to steal coins, including the use of phishing emails infected with malware that compromises users' wallets. This scheme still works, but scammers have gone further and are now planning to attack exchanges en masse, sending a virus under the guise of legitimate software that can be downloaded on the Internet.

Security experts said that an employee of one of the exchanges automatically downloaded an application offering software for trading cryptocurrencies. The website and software did not appear to be malicious. However, the software contained an update module that collects basic information from the PC and sends the data to the command and control server. According to experts, if scammers decide that a PC is “worth attacking,” they will send a software update to it. This "update", compatible with Windows and Mac, installs the Fallchill Trojan, an old tool that Lazarus pulled out of its bins. The Trojan can be used to steal financial information and compromise a wallet, as well as perform additional malicious tasks.

The company through which the malware is distributed has a valid developer certificate, which is why it is so difficult to identify the malicious piece of software. However, the organization that issued the certificate could not be identified...

“We noticed interest in cryptocurrency at the beginning of 2017, when members of a criminal group installed software for hidden mining of the Monero coin on one of our servers,” said Vitaly Kamlyuk, one of the Laboratory’s experts. “Since then, scammers have attempted to target cryptocurrency exchanges alongside traditional financial institutions several times.”

“The fact that they developed malware to infect macOS users in addition to Windows users, and most likely even created a fake company and software product to be able to distribute this malware that security systems cannot detect, means that they intend to make very large profits, and we should expect more attacks in the near future,” Kamluk said.

According to zdnet.com