A newly discovered backdoor written specifically for macOS shares a number of similarities and functions with an older piece of malware attributed to the Lazarus APT group that has been associated with the North Korean government.
The new malware was uploaded last month to the VirusTotal service, and some researchers recently decided to take a look at it and discovered that its functionality and the attack vector used to install it are suspiciously similar to an older backdoor that was embedded in a malicious cryptocurrency trading app. That operation, discovered in 2018, involved malware for both Windows and macOS and the infection chain included an entirely fabricated cryptocurrency trading platform, complete with a website. Researchers at Kaspersky Lab discovered the older backdoor, known as AppleJeus, and found that it was disguised as an update for a trading app called Celas Trade Pro. The Apple Jeus malware collected a variety of standard system information and sent it to a remote server and also had the ability to download and install other implants.
The more recent backdoor has similar functionality and the attackers took a similar tack for getting it onto victims’ machines. In this case, they created a new, fictitious, cryptocurrency trading platform called JMT Trading and put up a website that contained a link to code on GitHub. The disk image that was hosted there installs a package that is not signed and has a script in it that then installs several other elements.
“Both the daemon’s plist and binary are (originally) embedded into an application, JMTTrader.app found within the .pkg. Specifically they’re hidden files found in the /Resources directory; Resources/.org.jmttrading.plist and Resources/.CrashReporter,” security researcher Patrick Wardle said in a detailed analysis of the new macOS backdoor.
The CrashReporter binary installed by the malware is where most of the action takes place. It has the ability to download information from a remote command-and-control server and will listen for tasking from the server, as well. The implant itself is not especially complex or advanced, but it stands out for a few reasons. This kind of malware is still not that common for macOS, particularly in the toolsets of APT groups. Some such groups are known to use macOS malware, but it’s not nearly as common as Windows-specific malware or backdoors. Much of that has to do with the target population and the deploy base of Windows and macOS, but as Apple products become more and more common in enterprise and government, toolsets designed to exploit those products will inevitably follow suit.
The Lazarus group is a well-known attack team attributed to North Korea and security researchers have discovered a number of the group’s tools and malware implants over the years. The group has been blamed for a wide variety of high-profile operations, most famously the intrusion at Sony Pictures at 2014, and some researchers have connected the group to the Wannacry ransomware outbreak, as well.
Wardle said that while the backdoor he analyzed in the last few days isn’t identical to the older AppleJeus malware, there are plenty of indications that they are the work of the same team.
“IMHO, without a doubt, both malware specimen’s where written by the APT group: Lazarus. However, though both malware samples are written by the same APT group, the samples are not the same,” Wardle said.
“First, as noted by Kaspersky in their writeup on the previous Lazarus backdoor, that backdoor was “implemented using a cross-platform QT framework.” The sample we looked at today, is solely created for macOS (there is no cross-platform code). The previous backdoor also “collects basic system information … such as host name, OS type and version, System architecture, OS kernel type and version” Today’s specimen does not appear to contain this functionality.”