According to Kaspersky, the popular Russian cybersecurity firm, a North Korean hacker group named Lazarus has been actively involved in hacking and other related activities. The Kaspersky report states that the group has “successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.”
When security researchers investigated an attack by Lazarus on a cryptocurrency exchange, they found that an employee had inadvertently downloaded a malware named ‘AppleJeus’. Further enquiries revealed that the victim had downloaded a trojan crypto trading app suggested to the company via email.
The victim’s system was soon infected by Fallchill malware, which was used by Lazarus previously. Kaspersky also pointed out that it was the first time they saw the malware installed for other operating systems.
“To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.”
A fake, but original looking website was used to deliver the malware, reflecting new strategy. Notably, the Trojan was sent as an update to the trading app in a clever manner. The researchers, however, did not find any malicious behavior in the Celas Trade Pro software from Celas Limited.
Interestingly, a Mac and Windows version of the malware was sent in the form of a downloadable file, named celastradepro_win_installer_1.00.00.msi. Once the patch is installed, the Updater.exe module will deliver the malware coded to steal cryptocurrency.
In a detailed announcement, Kaspersky has explained how the malware infests systems. Additionally, the information gathered about the fake company has also been posted. Referring to Lazarus, Kaspersky said “Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.” South Korean exchanges were the main targets of hacker groups earlier this year.