Lazarus APT continues to target cryptocurrency businesses with Mac malware

Pierluigi Paganini March 28, 2019

North Korea-linked Lazarus group made the headlines again, it has been leveraging PowerShell to target both Windows and macOS machines.

The North Korea-linked Lazarus APT group made has been leveraging PowerShell to target both Windows and macOS machines in a new wave of attacks.

The discovery was made by experts at Kaspersky Lab, the campaign has been ongoing since at least November 2018, Kaspersky Lab reports.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

Experts at Kaspersky believe the threat actors continued to work on MacOS malware to expand their operations.

The APT group leveraged custom PowerShell scripts to control Mac malware.

“They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.” reads the analysis published by Kaspersky Lab. “After establishing the malware control session with the server, the functionality provided by the malware includes set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current, malware configuration, update malware configuration, execute system shell command, and download & upload files”


Lazarus hackers leveraged both compromised and purchased servers to arrange their campaign, experts discovered servers from China and the European Union that were hosting the macOS and Windows payloads. Threat actors seem to use rented servers to host malware, while they hosted the C&C scripts on compromised servers.

The malware was distributed through documents that were crafted to attract the attention of cryptocurrency professionals, the APT group appears to be focused on organizations in South Korea.

According to Kaspersky Lab, the development team behind the macOS malware is the same that created other malicious codes used in other campaigns associated with Lazarus.

“We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems.” Kaspersky says. 

“It’s best to check new software with an antivirus or at least use popular free virus-scanning services,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by Kaspersky Lab.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lazarus, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment