![]() The purpose of this script is to persistently install a launch daemon. Pinging this site reveals that it’s still online, and resolving to 104.168.167.16:Ģ mv /Applications/UnionCryptoTrader.app/Contents/Resources/.ģ /Library/LaunchDaemons/Ĥ 5 chmod 644 /Library/LaunchDaemons/ħ 8 mv /Applications/UnionCryptoTrader.app/Contents/Resources/.unioncryptoupdaterĩ /Library/UnionCrypto/unioncryptoupdaterġ0 11 chmod +x /Library/UnionCrypto/unioncryptoupdaterġ2 /Library/UnionCrypto/unioncryptoupdater & In this specific attack, Lazarus group created a new website, : And their de facto method of infecting such targets is via fake crypto-currency company and trading applications.Īs part of my recent RSA presentation I highlighted their attack vector: Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. (See: UnionCryptoTrader.dmg on VirusTotal).įrom the URL provided in Dinesh’s tweet, ( ) and spelunking around on VirusTotal, we can gain an understanding of the infection mechanism. In his tweet, Dinesh kindly provided an MD5 hash: 6588d262529dc372c400bef8478c2eec which allows us to locate the sample ( UnionCryptoTrader.dmg) on VirusTotal, where it’s only flagged as malicious by two of the engines. “Detecting macOS.GMERA Malware Through Behavioral Inspection” “Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website” “Operation AppleJeus: Lazarus hits cryptocurrency exchange w/ fake installer & macOS malware” To read more about their past activity, see: ![]() ![]() The Lazarus Group has recently been quite active in the macOS space.
0 Comments
Leave a Reply. |