Mac Users Targetted by Lazarus ‘Fileless’ Trojan

[upnorth]

Content source

https://nakedsecurity.sophos.com/2019/12/06/mac-users-targetted-by-lazarus-fileless-trojan/

The Lazarus hacking group has been caught trying to sneak a new ‘fileless’ Trojan on to Apple macOS computers disguised as a fake cryptocurrency trading application.

The discovery was reported by K7 Computing’s Dinesh Devadoss to Mac security expert Patrick Wardle, who immediately spotted similarities to previous attacks. The first of these, from 2018, was the ‘Apple.Jeus’ malware, which also used a cryptocurrency trading application to lure high-value targets in order to steal cryptocoins. In October 2019, the hackers retuned with a new backdoor Trojan that spreads using the same approach – a cryptocurrency application posted to GitHub for victims to download. To make the applications appear trustworthy, both campaigns used the ruse of setting up fake software companies using legitimate certificates.

The new Trojan, tagged by Wardle as OSX.AppleJeus.C, continues in the same vein, with one interesting twist – the so-called fileless in-memory execution of a remote payload. As its name suggests, fileless malware avoids writing files to disk to avoid detection by signature scanners, restricting itself to main memory. Once there, the malware attempts to hijack legitimate processes on the target, for example Windows PowerShell or command line scripting tools such as wscript.exe. In the case of the latest Apple campaign, the trading application is the Trojan that initiates infection, borrowing Apple API calls to create an innocent-looking object file image which is written to disk to create persistence (i.e. the ability to survive reboots).

Lazarus Group Goes 'Fileless'

objective-see.com