Lazarus Group suspected in GitHub-hosted backdoor scam

A newly discovered macOS malware sample targeted crypto-exchanges with a fake installer

UPDATED A newly discovered malware sample – linked to the infamous Lazarus Group of North Korea – targeted cryptocurrency exchanges with a fake installer.

The cyber spies behind the malware created a fake company and website in order to add plausibility to the scam.

The tactic, a repeat of a technique the group also applied to sling the AppleJeus macOS implant last year, this time centers on a supposed trading platform app from the fictitious ‘JMT Trading’.

In reality, the JMTTrader.pkg offered through GitHub is riddled with malware, with the main payload disguised as a CrashReporter binary.

The malicious software is signed but not using an Apple developer ID, a repeat of an unusual feature also found with AppleJeus.

The latest sample, discovered by security researchers at MalwareHunterTeam, affects both Windows and macOS systems.

Lightweight, but persistent

A new blog post by independent Mac security expert Patrick Wardle offers a comprehensive analysis of the new malware.

The malware-based scam targets sysadmins of crypto-exchanges through a form of phishing.

“While I don’t have direct insight into this (i.e. logs, network traffic, or a user that was actually targeted), this backdoor was likely deployed in exactly the same manner as the before,” Wardle told The Daily Swig.

“The attackers would create a convincingly real site, that appeared to offer an open source cryptocurrency trading application… [T]he attackers would then email specific users who were admins or employees at cryptocurrency exchanges, asking them to try out, or review the app (and providing them a link to the website of the fake company).

“Any user who went to test out the app, would of course become infected,” he added.

YOU MIGHT ALSO LIKE Another UXSS bug found in Safari WebKit

The malware establishes a backdoor on compromised systems.

“The malware is basically a light-weight, albeit persistent backdoor – giving a remote attacker complete control over an infected system,” Wardle explained.

“It appears to support the download and execution of other tools and/or commands. For example, the attackers could perhaps install a more fully featured backdoor on certain targets of interest.”

Targeted attack

The latest attack is geared towards the same ends as last year’s AppleJeus attack, which was discovered by Kaspersky.

Wardle said: “This one looks to be the same: fake cryptocurrency website, fake cryptocurrency app with a malicious component, etc. Of course, if anybody also just stumbled on the site or the GitHub download page and tried out the app would also have been infected. But all signs point to this being a very targeted attack.”

Detection for the malware remained mediocre as of Monday, 14 October, four engines detected it. Those running the free-of-charge tools developed by Wardle are also protected.

This story was updated to correct the inaccurate statement that the latest malware was a macOS-only threat.

RELATED GitHub platform improvements are helping orgs keep their dependencies in check