"It makes sense to me that Lazarus would try it’s hand at macOS," Ian Thornton-Trump, cyber threat intelligence expert and CompTIA global faculty member told SC Media UK, saying, "it’s a popular OS and is found in use by high value targets."
The Lazarus Group, an APT actor commonly attributed to the North Korean government, has been active for a decade. Whereas we most commonly associate APT state players with cyber-espionage activity, the Lazarus Group is firmly in the cyber-crime camp. It serves the state by looking to make financial gain in order to circumvent the economic sanctions imposed upon the regime. A common target has been the crypto-currency exchange business, and Apple users now appear to be centred in those high value target cross-hairs.
According to an analysis by respected security researcher Patrick Wardle, the Lazarus Group has risen this time around with a fileless malware threat aimed squarely at macOS. After being alerted to the threat by a Twitter posting from Dinesh Devadoss, which included a MD5 hash and URL, Wardle was able to get an inside edge on what was going on as far as the infection mechanism of this latest Lazarus Group threat was concerned. The fileless threat carries all the markings of a first-stage Lazarus Group 'implant' and could "remotely download and execute payloads directly from memory," according to Wardle.
Despite having a very low detection rate on VirusTotal, all but non-existent when Wardle carried out his analysis earlier this week, the UnionCryptoTrader malware sample could be very nasty were it to get used in the wild. Luckily, that appears not to have happened as there were no download links on the fake crypto distribution website at this point in time, nor did the package have a valid certificate so it would not have got past macOS security defences without splashing a warning. The command & control server itself had no payload to deliver either. All of which suggests that this threat was detected before Lazarus Group had the opportunity to execute an attack.
However, that such a well-resourced and successful threat actor had developed fileless malware aimed at macOS, something that is much more common in Windows malware, does serve as a reminder to Apple users that their machines, and the data upon them, are of real interest to the most sophisticated of attackers. The pivot to this new threat mode should ring alarm bells that mustn't be ignored.
What interests Thornton-Trump the most is the early stage detection which he calls a huge victory, and something all too rare against any APT actor. "I think celebrations maybe short lived though," Thornton-Trump warns, "Lazarus, like the name implies, rises time after time with constant improvements in code and opsec." Given that macOS, Windows and Linux all suffer from exploitable vulnerabilities at the OS and the 3rd party application layer, all the standard mitigation rules apply.
The difference when it comes to many Mac’s in business, Thornton-Trump suggests, is that they suffer from no, or at best minimal, centralised management. Which means the responsibility to manage updates is biased more towards the end user. Jake Moore, a cyber-security specialist at ESET, agrees. Having spoken to many businesses at the smaller end of the SME scale, for example, he's found it to be commonplace for no malware protections to be in place as "they think it comes with it."
It's worth remembering, that while fileless malware is undoubtedly a dangerous and stealthy threat, it does still rely on basic awareness errors by the user. In this case it would have been the downloading of a fake cryptocurrency application. "Even with good social engineering, it is still worth reminding users to be aware of such antics used by threat actors," Moore concludes, "enterprises should never allow individuals to download any software to their machines without further approval."