Home News Bitcoin Anti-Virus Software Kaspersky Lab Releases Report on Malware Lazarus Targetting Mac OS

Anti-Virus Software Kaspersky Lab Releases Report on Malware Lazarus Targetting Mac OS

August 24, 2018 17:00
Source: Gadgets To Use
Share with your friends

As technology advances, the dangers associated with it, also grows proportionately. In December, the cyber security agency Trend Micro had unearthed a malware called Digmine that was targetting Facebook Messenger in order to illicitly mine cryptocurrencies.

Now, there is another harmful agent that is not only targetting exchanges, but also financial institutions such as banks. Anti-virus software Kaspersky Labs released a detailed report on ‘Lazarus’, “a trojanized cryptocurrency trading application that has been targetting Mac Operating systems (OS), for the first time.

The report said, “While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.”

Since the anti-virus company’s technology is comparatively advanced, they were able to stem the harmful effects, right in the bud, and trace the origin of the malware.

Kaspersky added, “This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.”

The report added, that since the website also targeted Mac OS, it had introduced a ‘native version’ of the trading app. The report states, “A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.”

Source: Secure List

At a glance Celas (as evidenced in the screenshot) does not look malicious and appears to be a genuine website. There is absolutely no abnormal behaviour in the User Interface.

It further added, “Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start. We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018”

It appears that, it will be a while before the world is entirely rid of bad actors and malicious cryptocurrency mining malwares. Until then, the rest of the community will have to depend on the cyber security team.

Liked what you read? Join us on Telegram



Please enter your comment!
Please enter your name here