A new macOS Trojan has been uncovered, which, researchers believe, was developed by the Lazarus hacking group. The malware has been analyzed by Patrick Wardle.
However, it was discovered by another security researcher, Dinesh Devadoss, who shared his findings in a tweet. Devadoss also provided a hash for the malware sample.
The sample is packaged as UnionCryptoTrader, and was hosted on a website known as unioncrypto.vip, advertised as a smart cryptocurrency arbitrage trading platform.
New macOS Trojan Analyzed by Patrick Wardle
According to Wardle’s analysis, the malware has a postinstall script that installs the vip.unioncrypto.plist launch daemon to achieve persistence. This script is designed to:
-move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
-set it to be owned by root
-create a /Library/UnionCrypto directory
-move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
execute this binary (/Library/UnionCrypto/unioncryptoupdater)
„Though installing a launch daemon requires root access, the installer will prompt the user for their credentials. Thus, once the installer completes, the binary unioncryptoupdater will both currently executing, and persistently installed,“ Wardle said.
The hidden unioncryptoupdater binary will run each time the system is rebooted, and this is done by setting its RunAtLoad key to true. The binary can also collect basic system information, including serial number and OS version.
The binary can also contact a command and control server for the payload, which shows that it is designed for the initial stage of the attack. However, Wardle’s analysis points that currently the command and control server is responding with a “0”, meaning that no payload is provided.
The missing payload probably means that this new macOS Trojan was discovered before the Lazarus hackers had the chance to finalize all details and get ready for actual operations.
The Trojan still has a low detection rate on VirusTotal. It can be detected as Trojan.OSX.Lazarus ( or Trojan-Downloader.OSX.Agent.f.
Wardle also said that the malware is capable of achieving in-memory execution of a payload. This fileless method is more typical for Windows malware but is rarely seen in macOS threats. Thus, Wardle concluded that “Lazarus group continues to target macOS users with ever evolving capabilities.”
More about the Lazarus Hacking Group
The Lazarus hacking group is believed to be operating from North Korea and has been known for planning elaborate campaigns against high-profile targets. Their first attacks were against South Korean institutions using distributed denial-of-service attacks back in 2009 and 2012.
The group is known for using large networks of botnet nodes that are controlled by the group. In most cases they are made of hacked computers that are infected with malware code that recruits them to the network. The combined collective network power can be devastating to sites and computer networks when the attacks are launched at once.