Lazarus Targets Mac Users With Malware

Written by

Mac users should be on the alert. Advanced persistent threat (APT) group Lazarus is ramping up its cryptocurrency-stealing operations, this time targeting Apple's operating system.

Lazarus is a long-established hacking group and has been known to attack banks. Cybersecurity experts also attributed the Sony Pictures hack and the WannaCry virus to that group, which has been linked to North Korea. 

Lazarus may have its finger in all kinds of pies, but its real bread and butter seems to be cryptocurrency exchanges. Russian cybersecurity research company Group-IB released a report late last year accusing Lazarus of stealing $571m in cryptocurrency since January 2017 — that’s more than half of all the cryptocurrency stolen during the same period.

According to research from anti-malware company Kaspersky, Lazarus had focused on hacking Windows machines until mid-2018, when it demonstrated a new ability to target Macs.

Kaspersky has been watching the group since then, and has found a new campaign that is aggressively targeting macOS systems.

The group has been spreading the malware using documents that would interest cryptocurrency professionals, and the attack seems aimed primarily at targets in South Korea because many of the documents are Korean. One example from Kaspersky is the business plan for a venture capital company, while another purports to be from a Chinese technology consulting group.

“It’s no secret that Apple products are now very popular among successful internet startups and fintech companies, and this is why the malicious actor built and used macOS malware,” Kaspersky said. “While investigating earlier Lazarus incidents, we anticipated this actor would eventually expand its attacks to macOS.”

This doesn't mean that Lazarus has been any less aggressive with its Windows-targeted attacks, though. It continues to distribute malware that uses Windows PowerShell scripts, which like the macOS malware communicate with the group's command and control servers to execute instructions from Lazarus on the victim's machine. These instructions include executing system shall commands, updating the malware configuration, and both uploading and downloading files.

Both the Mac and Windows attacks use the same hosting service, the same network communications, and the same backdoor functions, Kaspersky said. The company warned both macOS and Windows users who dabbled in the cryptocurrency markets to be extra careful as the Group continues with its targeted attacks.

The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s hot on Infosecurity Magazine?