Like Lazarus rising from the dead, the same-named cybercrime ring from North Korea is back – and this time they are targeting cryptocurrency exchanges using malware designed for both Windows and MacOS, reports Kaspersky Lab.


On August 23, 2018, Kaspersky Lab reported that the cybercrime ring known as Lazarus Group had resurfaced with a new malware campaign – dubbed ‘AppleJeus’ by analysts – that aims to steal cryptocurrency using trojanized crypto trading software.  This marks the first time that the group has deployed MacOS-based malware to breach cryptocurrency exchanges.

How It Happened

According to the report, an employee of the exchange downloaded a cryptocurrency trading application that had been recommended to the company via email. Upon installing the software, the employee’s computer was infected with the remote access Trojan ‘Fallchill’ – an older tool which the hacking group has begun using again. Unlike previous malware campaigns, however, AppleJeus was not only meant for Windows users, but for MacOS users as well.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website.

Kaspersky Lab has called this attack a “wake up call” for MacOS users who labor under the misconception that non-Windows operating systems are impervious to malware infections.

How The Malware Works

How The Malware Works

Rather than include the malicious code in the initial software download, where it would have likely been detected by the user’s antivirus and/or anti-malware software, Lazarus Group did something far more insidious.

At first glance, the cryptocurrency trading app that the exchange employee downloaded, Celas Trade Pro, appears to be genuine. The AIO (all-in-one) application, developed by Celas Limited, showed no malicious behavior whatsoever. Looking closer, however, researches at Kaspersky Lab discovered what they felt was a “suspicious” updater in the application’s installation package.

In legitimate software, the updater is used to download and install new updates to the software. In this case, however, the updater acts like a reconnaissance module, initially just sending basic information about the host computer back to the hackers. If the hackers decide that the computer is worth infiltrating, the malicious code is sent to the host computer in the guise of a software update.

This “update” installs the Fallchill Trojan, which gives the hackers almost unlimited remote access to the infected computer which, according to Kaspersky Lab, “provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose.”

Kaspersky Lab notes in the report:

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism.

According to Recorded Future and other media outlets, Lazarus Group is believed to have been responsible for the 2014 Sony Pictures hack as well as the 2017 theft of more than $80 million from the Bangladesh Central Bank. They are also thought to be behind the rash of attacks last year on several South Korean cryptocurrency exchanges.

Have you ever been the victim of malware like Fallchill? What measures do you take to protect your computer and other devices? Let us know in the comments below.


Images courtesy of ShutterStock, Kaspersky Lab

Tags: , , , , ,

Leave a Reply

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.