DPRK Targets Crypto Exchanges With MacOS Malware

← back to the list


DPRK Targets Crypto Exchanges With MacOS Malware

Posted on August 26th, 2018 in Blockchain News,Around the World by Ryan Warner
  • Backdoor found inside legitimate signed software updates to Celas Trade Pro Software.
  • North Korean language included in headers.
  • Kapersky reporting that at least one exchange had been infiltrated.

Kaspersky has identified North Korean cybercrime gang as targeting cryptocurrency exchanges, and fintech companies under a malware campaign called AppleJeus.

Kaspersky Analysts have reported that one Asian cryptocurrency exchange had been infiltrated. This is the first time that Lazarus has attacked MacOS users. The cover company Celas LLC was apparently founded by Lazarus groups members for the explicit purpose of masquerading their attack behind a seemingly innocuous, professional appearing trading software.

Interestingly, the attackers had added headers for the North Korean language locale.

A Convincing Front for the Perfect Trojan Horse

The website setup by Celas LLC appears to develop cryptocurrency trading software from the outset but has been identified as having the malware distributed via an updater.

The malware was deployed as a signed software, with a certificate from Apple as the unsuspecting victim had not made any changes to his system to allow applications from unverified developers.  

A screenshot of the software Celas Trade Pro

Celas Trade Pro appeared as a fully working software

 

The app "Celas Trade Pro" provides functionality to interface with a wide range of popular exchanges via API.

Once installed on the victims office network, Intrusion detection software found the malicious code hidden inside an updater, originating from the working trading client itself. Essentially the attackers are using the trading software as a stepping stone to enable the installation of the malware.

Now installed, Lazarus used the backdoor loader Fallchill which has been reportedly used ealier on other attacks.

On further investigation - Researchers have been unable to find an organisation at the address on the certificate to where the domain is registered. The malicious code is sent as a software update which installs Fallchill, a trojan the Lazarus group has used previously.

Businesses Urged to Take Precautions

Businesses and users are advised to use hardware wallets with multi-factor authentication, and to scan all applications before installation with malware detection software.

Kapersky said in their report the website itself that Celas LLC was using, showed no abnormalities and was harmless from the outside. The pages Celasltd dot com and Subeerete dot info are currently not available at time of writting. They seemed ok, trustworthy even to experts. 

Although on further inspection it's apparent the criminals took extensive efforts to accomplish this attack, developing a different kind of attack, from the usual windows varierty but choosing instead to focus on Mac OSX, creating an entire cover company, a serious business front-end website and even developing a fully working software, to use as their trojan horse is certainly a long winded, intense process.

Going to these lengths doescertinaly give a glimpse into just how significant a return the heist offered, in terms of payout.

For continued updates on these matters, check securelist.com and qihoo 360.