A new macOS malware has surfaced recently, with low threat detection rate, that digital security researchers think is allegedly created by the Lazarus Group, a cybercrime group based in North Korea with a long history of crypto hacking.
The malware was disguised on a cryptocurrency trading platform website called ‘unioncrypto.vip’ and was discovered by researchers before any major damage was done.
The malware is capable of regaining a payload from an isolated storage space and run it on memory. This method makes it difficult for digital security analysts to conduct forensic research.
Malware analysis firm VirusTotal shows that the detection of the malware is on the verge of impossible. Currently, only five antivirus software are able to identity it as harmful. Dinesh Devadoss, a malware research expert, provided a hash for the malware that was able to load mach-O file from computer memory and execute it.
Patrick Wardle, digital security expert and white hat hacker for macOS studied that malware discovered by Devadoss and reached the conclusion that there are overlaps with Lazarus Group’s work.
The defected sample is sealed under the title ‘UnionCryptoTrader’ and was displayed on the “unioncrypto.vip” website which is a promotion page for a cryptocurrency trading platform. Opening the package will set off a warning from the operating system of the user’s computer as the sample is not signed.
Malware Analysis
Researchers working on analyzing the malware shared that the malware has a script titled ‘postinstall’ which is able to install ‘vip.unioncrypto.plist’ Launch Daemon. They have also shared the characteristics of the script such as a hidden plist is moved from resources of the downloaded application to the library of Launch Daemons.
The script is also able to create a directory in Library/UnionCrypto and moves a hidden binary resource of the application to it. And finally, the script can execute binary, clearly outlined by the researchers as (/Library/UnionCrypto/unioncryptoupdater) which will run every time the system is rebooted.
Wardle’s analysis of the malware shows that it holds the capability of collecting information about the victim’s system, such as serial number and the version of OS. However, the fact that valid certificate is missing, and the absence of payload could mean that digital security experts were able to detect the virus before the attacker could prepare the thorough workings of the malware operations.
Although executing a file in memory has become a redundant feature of malware infesting and attacking Window’s Operating System, it is one of the few times it has surfaced on macOS. Researchers fear this could gain popularity on this platform.
