It appears North Korean hackers have revisited a tried-and-true scheme to attack Mac owners who work at cryptocurrency exchanges: creating a fake company and corresponding cryptocurrency trading app that actually infects users with malware.
Researcher Patrick Wardle, creator of OS X security firm Objective-See, reported in a blog post late last week that malicious actors set up a website for a phony crypto firm called JMT Trading, with a link to a GitHub page where visitors could supposedly download a trading app. In reality, however, these users were downloading files laced with malware that was uncovered by researchers at MalwareHunterTeam on Oct. 11.
According to Wardle, the malware allows attackers to remotely execute commands and essentially gain control over Mac systems. At the time it was analyzed, it had zero Virus Total detections.
The malware, which arrives in a fake installer file named JMTTrader.pkg, appears to be closely related to a program used last year in a similar scheme that was attributed to the North Korea-associated APT actor Lazarus Group, aka Hidden Cobra. Researchers at Kaspersky Lab dubbed this campaign Operation AppleJeus in an August 2018 report. In this instance, the actors distributed malware via a fake cryptocurrency trading app called Celas Trade Pro.
"IMHO, without a doubt, both malware specimens were written by the APT group Lazarus," said Wardle in his blog post. The two operations shared many similarities, he continued, including the use of .pkg malware samples that are "persisted as launch daemons" and "require a single commandline argument in order to execute."