JACK GUEZ/AFP/Getty Images
show image

A cybercrime gang linked to North Korea is turning its hand to Mac malware

A cybercrime gang linked to the North Korean government has launched a new malware campaign targeting cryptocurrency exchanges.

The gang, known as the Lazarus Group, has created a rogue cryptocurrency trading app that exploits Apple’s macOS software to gain access to victims’ devices, researchers at Kaspersky, a Russian security vendor, revealed. It marks the first time the gang is known to have targeted Apple users.

Lazarus is one of the world’s most successful hacker groups. It is alleged to have carried out the 2017 WannaCry attack on behalf of the North Korean government, and has orchestrated some of the biggest ever cyber heists, stealing tens of millions of pounds at a time from banks.

During the course of its investigation, Kaspersky found that an employee of an exchange in Asia had downloaded a version of the rogue app with the power to gain “almost unlimited access to the attacked computer”. After receiving an email recommendation, the exchange’s employee downloaded the app from a legitimate looking website with a valid SSL certificate.

Researchers said the app, dubbed AppleJeus, included a malicious updater that acts like a reconnaissance module, relaying basic information to the hackers. They can then use it to install the malicious software update and gain access to the device.

“We noticed a growing interest of the Lazarus Group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator,” said Kaspersky researcher Vitaly Kamaluk. “Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations.”

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” Kamaluk added.

Lazarus shot to prominence in 2014 when it crippled Sony Pictures’ computer network ahead of the release of The Interview, a satire on the leadership of the North Korean government. As well as disabling Sony’s network, the group released troves of sensitive data, including a string of embarrassing emails about A-list film stars.

In recent years, the hacking collective appears to have become more commercially minded. It is believed to have been behind the $81m (£63m) cyber heist on Bangladesh’s central bank in 2016, and is also suspected of stealing tens of millions of pounds from Taiwan’s Far East International Bank last year.