Blockchain & Cryptocurrency , Cybercrime , Fraud Management & Cybercrime

Phony Company Used to Plant macOS Malware: Report

Malware Designed to Infect Devices of Cryptocurrency Exchange Employees
Phony Company Used to Plant macOS Malware: Report

Security researchers have found that a hacking group, which may have North Korean ties, recently created a phony company offering a cryptocurrency exchange platform as a step toward planting malware on the macOS devices of employees of cryptocurrency exchanges.

See Also: Bank on Seeing More Targeted Attacks on Financial Services

It's not clear how successful the malware-installation effort has been, analysts say.

Patrick Wardle, a Mac security specialist and principal security researcher Apple device management firm Jamf, described the scheme in a blog post after the MalwareHunterTeam, a research group associated with ID Ransomware, spotted the malware on Friday. If a macOS device is infected with the malware, the attackers can take complete control of the device, Wardle says.

Wardle found that the malware used to infect macOS devices is similar to other malicious software that Kaspersky has previously tied to the Lazarus Group, a North Korean hacking group suspected of several major cybercrimes, including the $81 million heist from Bangladesh Bank in February 2016 (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).

The analysis that Wardle published found the infection mechanism of both malware samples are nearly identical, and the installation process has a similar layout.

A United Nations' report published in August described how other money-stealing schemes work to help the North Korean government circumvent international sanctions and boost its economy (see: North Korean Hacking Funds WMD Programs, UN Report Warns).

Fake Company

Wardle notes that the attackers attempt to plant a backdoor Trojan on targeted macOS devices, which then plants the main malware.

In order to start this process, the attackers created a fake company called "JMT Trading," which includes a phony website as well as a GitHub page. The goal, Wardle says, is to get victims to download a fake cryptocurrency trading platform that contains the Trojan, Wardle says.

Fake "JMT Trading" website (Source: MalwareHuntingTeam)

The hackers are likely targeting employees of other cryptocurrency exchanges, Wardle says, although the analysis does not indicate whether the attackers were attempting to steal virtual currency or manipulate financial data of these exchanges.

When analyzing the attack, Wardle found that once the Trojan is installed, it then attempts to plant the malware. This malicious software can give the attacker full control of a macOS device as well as the ability to communicate with a command-and-control server, which can then upload files to the infected system.

"The group may even go further by contacting administrators and users of cryptocurrency exchanges, asking them to test and review their new app," Wardle told Forbes.

The MalwareHunterTeam first described the malware and the fake company in a Tweet.

In 2018, Kaspersky researchers described a similar attack that they tied to Lazarus, with malware that the security firm called AppleJeus.

In that case, victims were lured to download a trojanized cryptocurrency application sent in phishing emails. At the time, the attackers developed malware for macOS. The hackers also created a fake cryptocurrency exchange called "Celas."

Eyes on Lazarus

Several countries have attempted to put a stop to Lazarus’ activities.

In September, for example, the U.S. Treasury Department issued sanctions against Lazarus and two other smaller North Korean-linked groups for a number of cyber incidents, including the WannaCry ransomware outbreak, online bank heists and the destructive malware attack against Sony Pictures Entertainment (see: US Sanctions 3 North Korean Hacking Groups).


About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.