{"id":82069,"date":"2018-08-27T13:54:32","date_gmt":"2018-08-27T20:54:32","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=82069"},"modified":"2018-09-10T22:12:04","modified_gmt":"2018-09-11T05:12:04","slug":"operation-applejeus-and-osxlazarus-rise-of-a-mac-apt","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/operation-applejeus-and-osxlazarus-rise-of-a-mac-apt\/","title":{"rendered":"Operation AppleJeus and OSX\/Lazarus: Rise of a Mac APT"},"content":{"rendered":"

\"Operation<\/a><\/p>\n

Security researchers have uncovered\u00a0a new strain of malware, identified by Intego VirusBarrier as OSX\/Lazarus. The discovery of Lazarus Mac\u00a0malware, produced by a threat actor known as the Lazarus Group, has breathed new life into an infrequently discussed topic in Mac security: advanced persistent threats (APT).<\/p>\n

What Is an APT?<\/h3>\n

\"\"Advanced persistent threats (APTs) usually involve malware that is designed by nation-state caliber threat actors, engineered to evade anti-virus protection, and usually targeted at a particular organization or individual. APTs often leverage zero-day vulnerabilities<\/a> in systems known to be used by an intended target.<\/p>\n

Who Is the Lazarus Group?<\/h3>\n

\"\"The Lazarus Group is believed to have ties to North Korea for a variety of reasons, having been linked to attacks on the government of South Korea as far back as 2009. Other attacks attributed to the Lazarus Group have included the Sony Pictures breach in 2014 and a variety of attacks on banks and cryptocurrency exchanges in recent years.<\/p>\n

In an analysis of the Windows version of the recently discovered Lazarus malware (also known as “Fallchill”), system language codes were found that hint that the malware was created on a system that prefers only Korean dialects. This discovery alone is not conclusive evidence of ties to North Korea, but malware analysts say that the language code is not something they have seen in the past, and could therefore indicate a slip-up by the developer.<\/p>\n

\"\"

The Windows variant has an string that hints at North Korea ties. Image: Securelist<\/a><\/p><\/div>\n

Definitively attributing an APT to a threat actor can be challenging, because there is always the possibility that a sophisticated developer has planted “false flags” to mislead researchers, or has borrowed code or techniques from another threat actor to throw researchers off their scent. In this case, however, there is an abundance of evidence linking the recent malware to previous Fallchill malware that has been attributed to the Lazarus Group, including the reuse of command-and-control server IP addresses and\u00a0the same\u00a0hard-coded encryption key baked into the malware’s code.<\/p>\n

What Is Known About OSX\/Lazarus?<\/h3>\n

\"\"The recently discovered malware campaign (codename “jeus,” also known as “Operation AppleJeus”) appears to have launched publicly in late April 2018, as a Trojan horse under the guise of a cryptocurrency trading application going by the name “Celas Trade Pro” by the company “Celas Limited” (or Celas LLC). Windows and Mac versions of the software installer were available to download through the company’s site.<\/p>\n

\"\"

The Celas Limited homepage implies that the Trojan horse was released in late April 2018. Image: Securelist<\/a><\/p><\/div>\n

Upon installation, Celas Trade Pro’s auto-update functionality would activate, acting as a malicious dropper that would install an unwanted backdoor payload on the victim’s computer. \"\"The Mac version’s autoupdater is invoked by a LaunchDaemon file named “.com.celastradepro.plist” (with or without a period at the beginning, depending on the version; the preceding period makes a file or folder invisible in the Finder).<\/p>\n

When the malware phones home to a command-and-control server, it uses a hard-coded User Agent string that identifies itself as “Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36” \u2014\u00a0in other words, it pretends to be Chrome 66 running on macOS Sierra. The specific browser version string hints that the Mac version of OSX\/Lazarus was likely developed sometime after April 26, 2018, the date this exact Chrome version<\/a> was released, which aligns nicely with the April 29 launch date indicated on the Celas Limited homepage.<\/p>\n

The discovery of OSX\/Lazarus is significant because it marks the first time the Lazarus Group is known to have branched out into targeting Macs. Previously, the Lazarus Group has primarily focused on targeting the Windows platform.<\/p>\n

How to Tell If Your Mac Is\u00a0Infected<\/h3>\n

If you know that Celas Trade Pro has never been installed on your Mac, then you’re probably safe from this particular threat. If you share a computer with others, or if you are uncertain whether the app might have been installed in the past, you can check for the presence of the following files on your Mac to identify whether it might be infected.<\/p>\n