Crypto currency Exchange Hack for First Mac Malware of Lazarus Group Deploys

Crypto currency is a digital asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets. Crypto currency is a kind of digital currency, virtual currency or alternative currency. Crypto currency use decentralized control as opposed to centralized electronic money and central banking systems. The decentralized control of each crypto currency works through distributed ledger technology, typically a blockchain, that serves as a public financial transaction database.

Most cryptocurrencies are designed to gradually decrease production of that currency, placing a cap on the total amount of that currency that will ever be in circulation. Compared with ordinary currencies held by financial institutions or kept as cash on hand, crypto currency can be more difficult for seizure by law enforcement. This difficulty is derived from leveraging cryptographic technologies.

Lazarus Group, the North Korean hackers who hacked Sony Films a few years back, have deployed their first Mac malware ever, according to Russian antivirus vendor Kaspersky Lab.

In a report, Kaspersky researchers reveal that Lazarus Group penetrated the IT systems of an Asia-based crypto currency exchange platform.

Exchange hacked after employee downloads trojanized app

The hack, which Kaspersky Lab analyzed under the codename of Operation AppleJeus, took place after one of the exchange’s employees downloaded an app from a legitimate-looking website that claimed to be from a company that develops crypto currency trading software.

But the app was a fake and infected with malware. On Windows, the app downloaded and infected users with Fallchill, a remote access trojan (RAT) known to be associated with the Lazarus Group since at least 2016, when it was deployed for the first time in live campaigns.

But unlike previous Lazarus operations, the hackers also deployed a Mac malware strain, something they have not done before. The malware was hidden inside the Mac version of the same crypto currency trading software.

The mystery of certificate of the malware

The trojanized crypto currency trading software was also signed by a valid digital certificate, allowing it to bypass security scans.

The big mystery surrounding this certificate is that it was issued by a company that Kaspersky experts said they weren’t able to prove it ever existed at the address in the certificate’s information.

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” Kamluk says.

Kaspersky didn’t name the hacked crypto currency exchange

Several cyber-security firms have pointed out many times this year that since the start of 2017, North Korean hackers have shown great interest in penetrating crypto currency exchanges and financial institutions, from where they steal funds that they later bring back into North Korea.

In the past year, several Asian cryptocurrency exchange platforms suffered security incidents, primarily exchange platforms located in South Korea. Hacks have been reported at Bithumb, Yapizon, YouBit, Coinrail, and Bithumb again.

This week, US cyber-security firm Trend Micro reported a supply-chain attack on South Korean organizations, but did not attribute the hack to North Korea, nor did it specify that the hack targeted a crypto currency exchange platform.