Lazarus Group Develops Cryptocurrency-Stealing Software for Mac

As we’ve reported many times before in the past, malware is shifting away from its usual “wanton destruction” patterns and is moving toward a scene which earns hackers money. Breaking someone’s computer may be fun, but it doesn’t get the hacker anything in return; meanwhile, making malware that steals bank data, locking the PC down until a payment is made, or planting cryptocurrency miners without permission does bring a tangible return.

The Lazarus Group, a North Korean-based hacker team, have made a new strain of malware called AppleJeus, which is designed to steal cryptocurrency funds. While not a new development in itself, this new strain came with a worrying new feature: it can infect Mac computers as well as Windows.

Why Is this Big News?


The reason why this is large is due to how Mac computers have been deemed safe for bitcoin operations. When a malware wave hits, it’s usually Windows machines that feel the full brunt of the attacks. Now, however, the hacker’s network is spreading to this safe haven, meaning that cryptocurrency users running software on macOS should start taking care with regards to how they do their business.

How Does It Work?


AppleJeus works by being downloaded alongside software that’s used for cryptocurrency trading. The software comes with an updater, which isn’t something to raise an eyebrow over; software comes with updater programs all the time. In the case of AppleJeus, however, the updater is actually a disguised transmitter that talks to the Lazarus’ servers.

AppleJeus first gathers information about the PC and sends it back home. If the hackers deem the PC is worth attacking, they can send a trojan through the malicious updater that was installed. Once the software has been “updated,” the malware opens a backdoor where the attackers can have free rein over the target computer. This allows them to take financial details, which is then used to steal cryptocurrency.

What Does this Mean for the Future?


This is not the first time the Lazarus group has been found striking financial targets. They also have a reputation for hitting financial companies and banks in order to turn their expertise into a paying gig. Given how both the AppleJeus-infected software and the site that distributes it both look like official, trustworthy sites, this may be the start of cryptocurrency attacks becoming complex and harder to spot.

“We noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017 when Monero mining software was installed on one of their servers by a Lazarus operator,” said Vitaly Kamluk at Kasperly Labs. “Since then they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations.”

The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future. For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.

What Does this Mean for Users?

This means that any users who are currently operating cryptocurrency miners on a Mac machine now need to keep an eye out for this malware. As the world of cryptocurrency malware advances, so, too, will its ability to creep onto devices and operating systems previously thought to be “immune” to viruses. Be smart when you’re downloading cryptocurrency tools – they may be laced with something nasty!

Money Matters

With cryptocurrency malware becoming more and more of a lucrative venture, it’s only natural that hackers will up their game in order to score a quick buck. The latest development includes moving malware over to the Mac, allowing for a greater pool of victims. If you use a Mac for your cryptocurrency operations, it’s best to keep your eye out and not assume you’re invincible to malware.

Is this a surprising development to you? Or was it bound to happen? Let us know below.

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.