{"id":97604,"date":"2023-04-02T10:19:49","date_gmt":"2023-04-02T17:19:49","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=97604"},"modified":"2023-04-07T11:53:45","modified_gmt":"2023-04-07T18:53:45","slug":"smoothoperator-3cx-voip-app-spreads-mac-malware-by-lazarus-group-apt","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/smoothoperator-3cx-voip-app-spreads-mac-malware-by-lazarus-group-apt\/","title":{"rendered":"SmoothOperator: 3CX VoIP app spreads Mac malware by Lazarus Group APT"},"content":{"rendered":"

\"\"<\/p>\n

SmoothOperator is one of three new Mac-infecting malware families that came to light in March (the others being FakeGPT<\/a> and MacStealer<\/a>).<\/p>\n

Let’s take a look at what SmoothOperator does, who’s behind the campaign, and how you can avoid or clean up an infection.<\/p>\n

What should I know about SmoothOperator?<\/h3>\n

SmoothOperator is a malware campaign built upon what’s known as a software supply chain attack. In other words, the normal distribution method for some legitimate software was compromised and infected with malware.<\/p>\n

We’ve seen supply chain attacks on Mac software before; for example, the BitTorrent client app Transmission was compromised twice in 2016, once to distribute KeRanger ransomware<\/a> and later to steal macOS Keychain contents via Keydnap malware<\/a>.<\/p>\n

But in this case, SmoothOperator was the work of a sophisticated, nation-state level attacker, also known as an advanced persistent threat (APT). The particular APT group in this case is believed to be Lazarus Group<\/a>, best known among Mac users for its Operation AppleJeus<\/a> campaign.<\/p>\n

Apparently, as part of the SmoothOperator campaign, the Lazarus Group compromised the servers of voice over IP (VoIP) software maker 3CX, and maliciously modified both its Windows and macOS desktop client apps.<\/p>\n

Users of the software began to get warnings from their antivirus software\u00a0<\/span>on March 22<\/span> that something seemed amiss, but 3CX’s tech support representative dismissed it as a false positive and blamed the antivirus vendor<\/a>. Unfortunately, it turned out that the company’s software was, in fact, infected after all.<\/span><\/p>\n

How can one remove or prevent SmoothOperator and other Mac malware?<\/h3>\n

\"Intego<\/p>\n

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this Mac malware.<\/p>\n

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.<\/p>\n

If you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from PC malware.<\/p>\n

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.<\/span><\/a><\/p>\n

How can I learn more?<\/h3>\n

For additional technical information about the SmoothOperator malware, you can refer to the original write-up by CrowdStrike<\/a> and the first<\/a>\u00a0and second<\/a> write-ups of the Mac version by Patrick Wardle.<\/p>\n

We briefly discussed Honkbox on episode 286<\/a>\u00a0of the Intego Mac Podcast:<\/p>\n