The infamous Lazarus Group, allegedly from North Korean origin are back in action. Researchers have found the attackers to be targeting Windows and Mac users with a new strategy. Specifically, the Lazarus Group have developed a fake cryptocurrency software to snoop into victim machines.
Fake Cryptocurrency Software Preying On Users
Researchers from the MalwareHunterTeam have discovered a new attack from the North Korean hackers that targets both Windows and Mac devices.
The Lazarus Group is now aiming to supply victims with fake cryptocurrency software. This tool allows the hackers to take complete control of the victim devices remotely. The researchers have shared a detailed thread on Twitter about this malware.
As elaborated, the attackers have even created a legit looking website of a fake company. Labeled as JMT Trading, the firm claims to produce software for cryptocurrency trading.
The website allowed visitors to download the software from GitHub, where the attackers had already placed the software code and marked as open source. The same repository had separate executables for Windows and Mac as well. Whereas the open-source code seemingly was aimed at Linux users.
The strategy looks quite transparent. The open-source code also showed no signs of maliciousness.
However, once a user downloaded the software, the installer also installed a secondary executable file “CrashReporter.exe” on the system. This component, present in the %AppData%\JMTTrader folder was the actual malware serving as a backdoor. This program, via a scheduled task, executed every time a user logged in, and, with every execution, the program contacted the C&C to receive and execute commands.
Initial analysis of the malware proved it effective against Mac devices. Additionally on further analysis, it turned out to be just as effective against Windows systems as well.
The security researcher Patrick Wardle has presented the detailed technical analysis of the malware in his blog post.
Lazarus Group Suspected Behind Cryptocurrency Malware Attack
Further research allowed the researchers to establish a link between this malware scheme and the North Korean hacking group Lazarus. They could establish this link considering numerous similarities between this attack and the previously discovered attack on macOS that surfaced online back in August 2018.
From the malware analysis there is an absence of an Apple developer ID signature and the impersonation of cryptocurrency firms, there is a strong relationship between the two attacks. Though, the malware samples were different.
Following the reports regarding the malware, the attackers seemed quick to take the website offline! For now, the JMT Trading GitHub repository is unavailable. Additionally, the JMT Trading website is also down.
Let us know your thoughts in the comments.