Not just the Windows OS, but MacOS is vulnerable too. It has found to be a victim of the infamous Lazarus group. A security researcher has just found a sample file to load the Mach-O executable file from memory and execute it. This sample is resembling as a package of Union Crypto Trader, a site that advertises as smart cryptocurrency arbitrage trading platform.
If you think Apple’s macOS is secure than anything, guess what, it’s subjected to malware too. The popular malware dumping group named Lazarus, associated with North Korea is believed to be behind this attack. It’s infamous for remotely implanting a virus in sequence to gather confidential data.
Security researcher, Dinesh Devodoss has tweeted as,
“Another #Lazarus #macOS #trojan md5: 6588d262529dc372c400bef8478c2eec hxxps://unioncrypto.vip/
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it”.
He tagged security researchers Patrick Wardle and Thomas Reed for analysing the issue further.
After studying this malware, Patrick Wardle replied to this as “there are some clear overlaps” with reference to Lazarus group and the first-stage dump as detected first by Malware Hinted Team in past.
Modus Operandi
The sample follows these steps in sequence to dump the payload at last.
- move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
- set it to be owned by root
- create a /Library/UnionCrypto directory
- move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
- execute this binary (/Library/UnionCrypto/unioncryptoupdater)
Master Stealth Mode
VirusTotal, a popular online site that groups up info from various antivirus detectors, has shown that this new threat is hiding strongly hiding from antivirus softwares. Out of 70+ antivirus detectors, there are just 10 services flagged this virus till now. This shows how strong the malware is hiding from detection and could potentially stay longer than thought (or maybe ever) if not flagged.
Any Threat?
While the remote command & control server is still online, they’re just responding to this with “0”. Means, there’s no payload received yet. If this payload, as per instructions is dumped and executed, it will prepare things for launching an initial attack. This could potentially gather data about files and other content.