North Korean group said to be involved in the attacks

Oct 15, 2019 11:02 GMT  ·  By

macOS users are once again being targeted by what is believed to be a North Korean hacking group, and the malicious campaign is this time based on an idea that we’ve actually heard about before as well.

Lazarus Group, which security companies have previously connected to North Korea, have recently launched a new wave of attacks that involve a fake front company, a fake official website, and fake cryptocurrency software.

The purpose is to convince macOS users to deploy the malicious software on their devices, then being able to compromise the system and remotely execute programs.

The open-source cryptocurrency trading software is published on GitHub, and it contains code allowing an attacker to take control of a macOS device where the application is installed.

Malware still undetected

Security research Patrick Wardle says in an analysis of the campaign that a successful attack could pretty much provide a Lazarus Group with full control over a Mac.

“The ability to remotely execute commands clearly gives a remote attacker full and extensible control over the infected macOS system,” he says.

The so-called JTM Trading software reminds of a similar effort launched by the same North Korean hacking group referred to as Celas and discovered by Russian security vendor Kaspersky. By the looks of things, Lazarus just wanted to refresh their idea with a slightly different perspective.

The new malware is specifically aimed at macOS, as no cross-platform code has been discovered.

More worrying is that the new not-so-sophisticated-but-still-dangerous malware isn’t yet detected by macOS security software, and Wardle says that a scan on VirusTotal returns no alerts, as all engines believe the software is fully clean. Most likely, however, macOS security apps will be updated to block the malware in the coming days.

At this point, it’s not yet known if any macOS users fell victims to this refreshed attack, but Wardle says most people shouldn’t worry anyway “unless you’re an employee working at a crypto-currency exchange.”