If you think Apple’s macOS is secure than anything, guess what, it’s subjected to malware too. The popular malware dumping group named Lazarus, associated with North Korea is believed to be behind this attack. It’s infamous for remotely implanting a virus in sequence to gather confidential data. He tagged security researchers Patrick Wardle and Thomas Reed for analysing the issue further. “Another #Lazarus #macOS #trojan md5: 6588d262529dc372c400bef8478c2eec hxxps://unioncrypto.vip/ Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it”. After studying this malware, Patrick Wardle replied to this as “there are some clear overlaps” with reference to Lazarus group and the first-stage dump as detected first by Malware Hinted Team in past.
Modus Operandi
The sample follows these steps in sequence to dump the payload at last.
Modus OperandiMaster Stealth ModeAny Threat?
move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons set it to be owned by root create a /Library/UnionCrypto directory move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/ execute this binary (/Library/UnionCrypto/unioncryptoupdater)
Master Stealth Mode
VirusTotal, a popular online site that groups up info from various antivirus detectors, has shown that this new threat is hiding strongly hiding from antivirus softwares. Out of 70+ antivirus detectors, there are just 10 services flagged this virus till now. This shows how strong the malware is hiding from detection and could potentially stay longer than thought (or maybe ever) if not flagged.
Any Threat?
While the remote command & control server is still online, they’re just responding to this with “0”. Means, there’s no payload received yet. If this payload, as per instructions is dumped and executed, it will prepare things for launching an initial attack. This could potentially gather data about files and other content.