Researchers Detect New North Korea-Linked MacOS Malware on Crypto Trading Site

Published at: Dec. 4, 2019

Security researchers have discovered a new cryptocurrency-related macOS malware believed to be the product of North Korean hackers at the Lazarus Group.

As tech-focused publication Bleeping Computer reported on Dec. 4, malware researcher Dinesh Devadoss encountered a malicious software on a website called “unioncrypto.vip,” that advertised a “smart cryptocurrency arbitrage trading platform.” The website did not cite any download links, but hosted a malware package under the name “UnionCryptoTrader.”

Linkage to North Korean hackers

According to the researchers, the malware can retrieve a payload from a remote location and run it in memory, which is not common for macOS, but more typical for Windows. This feature makes it difficult to detect the malware and carry out forensic analysis. Per VirusTotal, an online service for analyzing and detecting viruses and malware, only 10 antivirus engines flagged it as malicious at press time.

After conducting an analysis of the newly detected malware, security researcher Patrick Wardle determined “clear overlaps” with malware found by MalwareHunterTeam in mid-October, which purportedly led to the Lazarus group. At the time, the researchers detected that Lazarus had created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.

Recent North Korea-related developments

In recent months, there has been plenty of news about North Korea-related developments. In late November, United States prosecutors announced the arrest of Virgil Griffith, who allegedly traveled to North Korea to deliver a presentation on how to use crypto and blockchain technology to circumvent sanctions.

Following the arrest, Ethereum (ETH) co-founder Vitalik Buterin declared his solidarity with Virgil Griffith, having supported a petition to free the blockchain developer.

The United Nations Security Council's Sanctions Committee on North Korea accused the country of using a Hong Kong-based blockchain firm as a front to launder money. 

Tags
Related Posts
N. Korean Hackers’ New MacOS Malware Hides Behind Fake Crypto Firm
The notorious North Korean hackers known as the Lazarus APT Group have created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm. Apple Mac security specialist and principal security researcher at Jamf Patrick Wardle published a blog post on Oct. 12 outlining the nature of the malware, revealed by MalwareHunterTeam (MHT) researchers the previous day. Closely related to earlier macOS crypto-malware MHT and Wardle have warned that at the time of their warning, the malware was undetected by any engines on VirusTotal and that the sample appears to be closely related to a strain of Mac malware …
Cryptocurrencies / Oct. 14, 2019
North Korean Hacker Group Modifies Crypto-Stealing Malware
The Lazarus hacker group, which is allegedly sponsored by the North Korean government, has deployed new viruses to steal cryptocurrency. Major cybersecurity firm Kaspersky reported on Jan. 8 that Lazarus has doubled down its efforts to infect both Mac and Windows users’ computers. The group had been using a modified open-source cryptocurrency trading interface called QtBitcoinTrader to deliver and execute malicious code in what has been called “Operation AppleJeus,” as Kaspersky reported in late August 2018. Now, the firm reports that Lazarus has started making changes to the malware. Kaspersky identified a new macOS and Windows virus named UnionCryptoTrader, which …
Cryptocurrencies / Jan. 9, 2020
Robotics Company Falls Prey to Ransomware Attack
Ransomware gang REvil, known for launching stolen data auctions on the dark web, is now leaking sensitive documents stolen from a US-based robotics company. According to an official blog post from REvil on June 11, the team has started leaking confidential data belonging to Symbotic LLC. The post noted: “You do not want to speak with us and you probably think that we will not publish your data. We are already publishing.” The cybercriminal group stated that they’d created a website and paid for the hosting for a year. They threatened to make the robotics company’s data visible for “a …
Technology / June 12, 2020
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic
A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant. Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant: “The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and …
Blockchain / April 16, 2020
Crypto Price Tracking App CoinTicker Installs Backdoors to Control Host Computer: Report
Cybersecurity publications were sounding the alarm over cryptocurrency malware again Monday, Oct. 29 after a Malwarebytes forum user reported a price monitoring app for macOS was a trojan. Confirmed in a blog post by the cybersecurity software developer, community member 1vladimir reported suspicious behavior by an app called CoinTicker over the weekend. The app purports to let users track cryptocurrency prices from within the Mac toolbar, which update automatically. “Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user,” Malwarebytes’ blog post explains, adding: “Without any signs of …
Cryptocurrencies / Oct. 30, 2018