North Korean Hackers Hit Cryptocurrency Exchange With macOS Malware (securityweek.com)

← Back to Stories (view on slashdot.org)

North Korean Hackers Hit Cryptocurrency Exchange With macOS Malware (securityweek.com)

Posted by BeauHD on Friday August 24, 2018 @01:00AM from the going-the-extra-mile dept.

A North Korea-linked hacking group, dubbed Lazarus, deployed malware for macOS in an effort to infiltrate cryptocurrency exchanges. "In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware," reports SecurityWeek. Their malware was designed to target macOS in addition to Windows, marking the first time Lazarus has been observed using malware for Apple's OS, according to Kaspersky. The malware was reportedly pushed via an update. Slashdot reader asjk writes: The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. It's an all-in-one style cryptocurrency trading program which installs malicious code via an update. "... [the program] was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image," reports SecurityWeek. "Based on the server's response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file."

26 of 100 comments (clear)

Min score:

Reason:

Sort:

Re:What A Bunch of PECKERS! by Anonymous Coward · 2018-08-24 01:09 · Score: 2, Funny

We need to turn North Korea into a sheet of trinitite with carbon residue where people were standing when the liberation happened.
If only... by Oswald+McWeany · 2018-08-24 01:24 · Score: 1

If only they were running the Windows 95 app instead of Mac OS the virus wouldn't have worked.

--
"That's the way to do it" - Punch
Gatekeeper? by Jeremi · 2018-08-24 01:31 · Score: 2

Anyone know how (or if) this malware makes it past the Gatekeeper? (i.e. does it have a valid package and application signature, or does it rely on the user to opt-out of Gatekeeper's validity check, or does it have some other trick it uses?)

--

I don't care if it's 90,000 hectares. That lake was not my doing.
1. Re:Gatekeeper? by Anonymous Coward · 2018-08-24 01:54 · Score: 1
  
  Gatekeeper only allows apps signed by the App Store to run on Mac OS by default.
2. Re:Gatekeeper? by aaarrrgggh · 2018-08-24 02:45 · Score: 1
  
  I think that is just for initial installation-- I have never seen an update trigger it. The update mechanism might need to be stealth though.
3. Re:Gatekeeper? by TheFakeTimCook · 2018-08-24 05:29 · Score: 1
  
  Anyone know how (or if) this malware makes it past the Gatekeeper? (i.e. does it have a valid package and application signature, or does it rely on the user to opt-out of Gatekeeper's validity check, or does it have some other trick it uses?)
  It "gets by" Gatekeeper by tricking the User into letting it run.
  I am SURE Gatekeeper WARNED about it; but in the end, the USER made the decision.
MacOS Malware? by Daetrin · 2018-08-24 02:14 · Score: 1, Funny

I'm confused, i was told that you will never, ever catch a virus on an apple.

https://www.youtube.com/watch?...

.

--
This Space Intentionally Left Blank
1. Re:MacOS Malware? by jythie · 2018-08-24 04:58 · Score: 1
  
  This. No usable OS will ever be able to protect a user from installing an application they think is legit. Well, I guess really strict ACLs or every app getting its own VM/sandbox might.
2. Re:MacOS Malware? by TheFakeTimCook · 2018-08-24 05:31 · Score: 1
  
  This.
  No usable OS will ever be able to protect a user from installing an application they think is legit. Well, I guess really strict ACLs or every app getting its own VM/sandbox might.
  Gatekeeper defaults to only allow Apps from the Mac App Store. That's about as safe as you can get with Trojans.
3. Re:MacOS Malware? by TheFakeTimCook · 2018-08-24 05:32 · Score: 1
  
  That was just one of many lies apple tells.
  They also dont throttle their phones. Well they do but its for your own good.
  Quit LYING yourself!
  NO OS can be made safe from TROJANS.
4. Re:MacOS Malware? by Highdude702 · 2018-08-24 12:28 · Score: 1
  
  Until some software someone wants to use isn't signed, yet is widely known to work great. The bit gets flipped and forgotten. Happens on all of them.
5. Re:MacOS Malware? by TheFakeTimCook · 2018-08-24 13:30 · Score: 1
  
  Until some software someone wants to use isn't signed, yet is widely known to work great. The bit gets flipped and forgotten. Happens on all of them.
  Apple took care of that little problem. The setting automatically reverts back to the safest setting after a fairly short period (30 days, IIRC).
  Fairly reasonable compromise between security and convenience.
  And regardless of the setting, it still warns you on any downloaded software, making you have to affirmatively allow the installation.
Re:No. by jfdavis668 · 2018-08-24 02:31 · Score: 1

Says the Anonymous Coward.
Are we trusting Kasperksy?! by mi · 2018-08-24 02:44 · Score: 2

which Kaspersky refers ...
Why are we reading anything originating from a KGB-controlled source again?

--
In Soviet Washington the swamp drains you.
1. Re: Are we trusting Kasperksy?! by phantomfive · 2018-08-24 03:47 · Score: 2
  
  If he presents verifiable evidence, it doesn't matter if the FSB itself presents it.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re: Are we trusting Kasperksy?! by mi · 2018-08-24 04:40 · Score: 1
  
  If he presents verifiable evidence
  That's a giant "if", though. Involvement of any state-backed actor — especially FSB — raises (or ought to raise) the requirement for verifiability by orders of magnitude on any quantifiable characteristics...
  
  it doesn't matter if the FSB itself presents it.
  Mr. Mueller would now like to have a word with you. Be sure to wait for the "Walk" light before crossing a road...
  
  --
  In Soviet Washington the swamp drains you.
3. Re: Are we trusting Kasperksy?! by Highdude702 · 2018-08-24 12:42 · Score: 1
  
  I see what you did
Cryptocurrency *and* Mac! by cascadingstylesheet · 2018-08-24 02:45 · Score: 1

A sort of hipster convergence!
Re:hackintosh and apple can use this to get laws b by TheFakeTimCook · 2018-08-24 05:28 · Score: 1

hackintosh and apple can use this to get laws to ban them that just ends making end users drop mac or be stuck with apples crap that over heats all the time.
NO OS can be made immune to TROJANS.
Period.
OS X/macOS: Almost 20 years and STILL no real viruses.
Re:hackintosh and apple can use this to get laws b by Anonymous Coward · 2018-08-24 05:54 · Score: 1

OS X/macOS: Almost 20 years and STILL no real value in the real world.
Just give it up apple; at this point its a joke.
Maybe just start saying macOS was a HOBBY for apple.
Preemptively defend against everyone! by easyTree · 2018-08-24 05:57 · Score: 1

Incidental gain of oil.

--
Requiem for the American Dream
Re:What A Bunch of PECKERS! by easyTree · 2018-08-24 06:07 · Score: 2

Umm, that's not humane. Plus it might damage any oil/mineral reserves.

--
Requiem for the American Dream
Re:What A Bunch of PECKERS! by Highdude702 · 2018-08-24 12:02 · Score: 1

Mow them down with machine guns on helicopters?
Re: Quit CRYIN' bitch, lol... apk by Highdude702 · 2018-08-24 12:05 · Score: 1

This is why people think youre crazy APK
Re:Right: This works on MacOS X... apk by Highdude702 · 2018-08-24 12:14 · Score: 1

Does APK stand for Anonymous Penis Killer? Just wondering..
Re:No. by Highdude702 · 2018-08-24 12:26 · Score: 1

Because Murika! Don't you know were too proud to hide behind a proxy? Plus don't forget Murika! Only the Deep State NSA hides behind a proxy, real Murikans!! use IPv6!