Security researcher Dinesh Devadoss has detected malware for macOS on the website unioncrypto.vip, which advertises «intelligent platform arbitrage cryptocurrency».
Another #Lazarus #macOS #trojan
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
— Dinesh_Devadoss (@dineshdina04) December 3, 2019
Malware UnionCryptoTrader contains a postinstall script that installs a demon vip.unioncrypto.plist. The package does not contain a digital signature, so when it is opened, the operating system will issue a warning.
Then, the Trojan communicates with a remote command server, which provides a payload for execution in the computer’s memory. UnionCryptoTrader collects basic information about your system: serial number and OS version.
Hidden binary file unioncryptoupdater configured to start each time you restart your system.
The threat has a low detection rate, making it difficult to conduct forensic analysis. According to the VirusTotal service, at the moment, only five anti-virus engines flagged this program as malicious.
The similarity UnionCryptoTrader from attack AppleJeus prompted researchers to suggest that behind its creation is the North Korean hacker group Lazarus.
Then malware identified in the IT systems of one Asian cryptocurrency exchanges. With the help of Trojan Fallchill it hit various operating system and was designed to steal the cryptocurrency.