New fileless malware for macOS linked to Lazarus Group
Last week, macOS security expert Patrick Wardle wrote up a new threat aimed at Mac users: a sophisticated, hard-to-detect fileless malware variant. Wardle’s post, though highly technical, is well worth reading in full — not least of all because it provides an excellent window into the process of malware research.
In this short article, we’d like to take you through some of the highlights, define some key terms, and explain what this discovery means for everyday Mac users.
Who made it?
The new malware sample bears similarities to the well-known AppleJeus malware, which targets cryptocurrency exchanges. AppleJeus is the product of Lazarus Group, a shadowy cybercrime organization believed by many to be linked to North Korea. Lazarus Group is classified as an Advanced Persistent Threat, or APT, which, as the name implies, means that they are considered highly sophisticated malicious actors capable of infiltrating networks and remaining undetected for an extended period.
What is it?
The malware is a Trojanized application delivered via a fake crypto currency trading platform and website called “Union Crypto Trader” (the website set up by the hackers is currently in “maintenance mode” and inaccessible, but it is still online). The application is installed from a file named UnionCryptoTrader.dmg which contains a single, unsigned package. Wardle analyzed the contents of this package and found that it contained code designed to install a background launcher which will automatically execute a specified program each time the computer is rebooted. The ability of the malware to survive reboots is known as “persistence”.
What does it do?
Once the malware goes active, it appears to do a number of things, including gathering information about the host system and contacting a command-and-control server run by the hackers.
That may not sound so bad, but here’s where things get interesting. Depending on the response which the malware receives from the remote server, it will either go dormant for a while before checking in again with “home base”, or it will download and execute some code sent to it by the server: a malicious payload which constitutes stage two of the attack. As of the time of writing no one has actually seen an actual second stage payload sent to this malware (other than the “go to sleep” response code), so no one is quite sure what their eventual plans for stage two of the attack are. But since the Lazarus Group’s M.O. has historically been to steal cryptocurrency, it’s a reasonable supposition that this is where their intentions lie.
What is “fileless” malware?
Wardle notes that one interesting aspect of the new malware sample is that it is able to execute the second stage payload entirely from the computer’s RAM. This means that instead of existing on your hard drive, the payload runs directly in your computer’s memory, leaving no trace on disk. At no point does new malicious code need to be installed on or executed from the computer’s filesystem (which is where most endpoint protection products hunt for malware). Because of this, malicious activity becomes much harder to detect. Since this type of malware doesn’t require a user to download malicious files onto their system and execute them, it is known as “fileless” malware.
Am I at risk?
There’s a lot of good news for average Mac users on this one, despite the sophistication of the malware and the notoriety of its creators.
First of all, since it’s targeted at cryptocurrency trading, then if you aren’t involved in that world, there’s very little chance you’d ever come across this malware.
Secondly, people who do trade cryptocurrency know (hopefully) to take precautions when trying out a new platform or application. A brand-new outfit like “Union Crypto Trader” ought to give experienced traders pause, and cause them to proceed a bit more cautiously than they would with a large, established name in cryptocurrency.
Finally, if you’re using the basic protections built into macOS correctly, you shouldn’t have anything to worry about. Remember that the code in the installer package (UnionCryptoTrader.pkg) is unsigned, which means that your Mac would warn you that you’re attempting to install software whose developer can’t be verified: a huge red flag. While malicious actors can and do get hold of legitimate Apple Developer IDs, and thus signed code isn’t an absolute guarantee of safety, an unsigned installer from a brand-new crypto trading app should set the alarm bells ringing.
A few takeaways
For most people, this story will just be an interesting bit of malware news — and maybe an opportunity to learn more about cybersecurity terms like “fileless malware”. But there are definitely larger lessons to be learned here as well.
First, this discovery underscores what we and others have been saying about the macOS threat landscape: Namely, that Mac malware is increasing in sophistication and prevalence. Paying attention to Mac security issues has never been more important, and stories like this one are a reminder to be vigilant.
Another thing we can learn from this is the importance of making use of the built-in tools provided by macOS. Yes, it’s obviously easier to just click through all of those pop-ups and warnings that your Mac shows you. But they’re there for a reason. While you don’t have to be paranoid while casually using your Mac, it’s a good idea to pay extra attention to these warnings whenever you’re installing new software or visiting an unfamiliar site, because these protections are there to keep you safe.
Finally, this story is yet another reminder of what we, the security research community, and even Apple has been saying for a while now: That the future of security is going to have to be a community effort. We need to work together to share information and to educate one another, so that we build a world in which every Mac user has the knowledge and confidence to make use of all those built-in security features. That’s why we’ll continue to bring you news, updates, research and more on through our site and the Checklist podcast — and why we encourage you to reach out to us if you ever need help with a security question.