North Korean hacking group: The mastermind behind malware on fake crypto trading platforms?

By Dorothy On Dec 6, 2019

A new macOS malware encapsulated by a hard-to-detect cryptocurrency trading platform that has been discovered by security researchers hiding on a fake cryptocurrency trading website. Malicious malware masquerades as a cryptocurrency arbitrage platform; a service often used to take advantage of price differences on other digital asset exchanges.

Forensic analysis becomes more difficult because the threat has a very low detection rate and comes with capabilities that allow it to retrieve a load from a remote location and run it in memory. The malware is thought to be the work of the famous North Korean hacking group Lazarus, reported Bleeping Computer.

Security researcher Dinesh Devadoss tweeted the discovery of the malware on December 3. Patrick Wardle – another macOS security researcher and hacker, analyzed the malware found by Devadoss and determined that “there are some obvious duplicates” with another early-stage implant assigned to Lazarus Group. And it was found less than two months ago by MalwareHunterTeam.

According to the report, the software was found on a website with the address “unioncrypto.vip” and claimed to provide “a smart cryptocurrency arbitrage platform”, however, no download links are live on the site.

So far, malware can be detected by very few virus detection tools, with only five warnings when the Bleeping Computer report is published.

However, the malicious package does not have a certificate and issues a warning from macOS. Moreover, while the remote server is running, no payload has been present yet. Those factors could mean that malware was found before hackers could complete the trap, presumably targeting cryptocurrency owners.

Patrick Wardle said that there was a “clear overlap” between this new malware threat and another recent one attributed to Lazarus. A malware variant found in October, believed to be by the hacking group, was also hidden on a fake cryptocurrency trading site.

Bleeping Computer also cited another case, discovered by Kapersky and attributed to Lazarus, which used a cryptocurrency trading application to deploy Mac malware.

In a September 13 announcement, the U.S. Treasury Department identified Lazarus, Bluenoroff and Andariel Group as entities on the punitive list, allegedly responsible for the theft of cryptocurrency worth 571 million dollars from five exchanges in Asia in 2017 and 2018.

The United States has punished three North Korean entities for cybercrime, citing cryptocurrency theft as one of the reasons behind the move.

Read more: