Phony Company Used to Plant macOS Malware: ReportMalware Designed to Infect Devices of Cryptocurrency Exchange Employees
Security researchers have found that a hacking group, which may have North Korean ties, recently created a phony company offering a cryptocurrency exchange platform as a step toward planting malware on the macOS devices of employees of cryptocurrency exchanges.
It's not clear how successful the malware-installation effort has been, analysts say.
Patrick Wardle, a Mac security specialist and principal security researcher Apple device management firm Jamf, described the scheme in a blog post after the MalwareHunterTeam, a research group associated with ID Ransomware, spotted the malware on Friday. If a macOS device is infected with the malware, the attackers can take complete control of the device, Wardle says.
Wardle found that the malware used to infect macOS devices is similar to other malicious software that Kaspersky has previously tied to the Lazarus Group, a North Korean hacking group suspected of several major cybercrimes, including the $81 million heist from Bangladesh Bank in February 2016 (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).
The analysis that Wardle published found the infection mechanism of both malware samples are nearly identical, and the installation process has a similar layout.
A United Nations' report published in August described how other money-stealing schemes work to help the North Korean government circumvent international sanctions and boost its economy (see: North Korean Hacking Funds WMD Programs, UN Report Warns).
Wardle notes that the attackers attempt to plant a backdoor Trojan on targeted macOS devices, which then plants the main malware.
In order to start this process, the attackers created a fake company called "JMT Trading," which includes a phony website as well as a GitHub page. The goal, Wardle says, is to get victims to download a fake cryptocurrency trading platform that contains the Trojan, Wardle says.
The hackers are likely targeting employees of other cryptocurrency exchanges, Wardle says, although the analysis does not indicate whether the attackers were attempting to steal virtual currency or manipulate financial data of these exchanges.
When analyzing the attack, Wardle found that once the Trojan is installed, it then attempts to plant the malware. This malicious software can give the attacker full control of a macOS device as well as the ability to communicate with a command-and-control server, which can then upload files to the infected system.
"The group may even go further by contacting administrators and users of cryptocurrency exchanges, asking them to test and review their new app," Wardle told Forbes.
The MalwareHunterTeam first described the malware and the fake company in a Tweet.
So, in short: anyone installed this "JMT Trader" recently (or anytime? - others will probably have the time to dig and find out...), got some APT's malware with it too... pic.twitter.com/tEYJZEYxAq— MalwareHunterTeam (@malwrhunterteam) October 11, 2019
In 2018, Kaspersky researchers described a similar attack that they tied to Lazarus, with malware that the security firm called AppleJeus.
In that case, victims were lured to download a trojanized cryptocurrency application sent in phishing emails. At the time, the attackers developed malware for macOS. The hackers also created a fake cryptocurrency exchange called "Celas."
Eyes on Lazarus
Several countries have attempted to put a stop to Lazarus’ activities.
In September, for example, the U.S. Treasury Department issued sanctions against Lazarus and two other smaller North Korean-linked groups for a number of cyber incidents, including the WannaCry ransomware outbreak, online bank heists and the destructive malware attack against Sony Pictures Entertainment (see: US Sanctions 3 North Korean Hacking Groups).