Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
Contents
|
|
At the beginning of the year, Kaspersky reported new details of an ongoing campaign they called ‘AppleJeus’, attributed to North Korean-backed APT group Lazarus and first spotted in 2018. Kaspersky noted that as of January 2020, the Lazarus group was “currently one of the most active and prolific APT actors”. Since January, other reports have detailed a macOS RAT (DaclsRAT) and linked it to a wider Lazarus cross-platform toolset (MATA framework). Since late May 2020, we have observed three other distinct families of macOS malware likely from the same actors, most of which have not yet been publicly documented. In this post, we provide a high-level overview of all four of these macOS malware families and detail their variants and evolution so far.
1. Trojanized One-Time Password Apps
The first of these four families has been covered by other researchers in detail; here we will just summarize the main findings for completeness.
First …
|
At the beginning of the year, Kaspersky reported new details of an ongoing campaign they called ‘AppleJeus’, attributed to North Korean-backed APT group Lazarus and first spotted in 2018. Kaspersky noted that as of January 2020, the Lazarus group was “currently one of the most active and prolific APT actors”. Since January, other reports have detailed a macOS RAT (DaclsRAT) and linked it to a wider Lazarus cross-platform toolset (MATA framework). Since late May 2020, we have observed three other distinct families of macOS malware likely from the same actors, most of which have not yet been publicly documented. In this post, we provide a high-level overview of all four of these macOS malware families and detail their variants and evolution so far.
1. Trojanized One-Time Password Apps
The first of these four families has been covered by other researchers in detail; here we will just summarize the main findings for completeness.
First …
IoC
035089b4ef4a981f43455ebee7963af9e7502170ca206458f96be668b1e3674a
160.20.147.253
185.62.58.207
2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b
326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd
36683ce8ec4ab6c07330930b523ee0d68b2b410f654a30c70250da890cfbf3c9
3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93
3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837
4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da
65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0
67.43.239.146
735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02
85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c
8783f6755fd3d478fc58040da03d056f9cad12f199ec4dcd90632c6804e0e643
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b
a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
[email protected]
d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715
e63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756
http://160.20.147.253/8443
http://185.62.58.207:443
http://67.43.239.146:443
http://applepkg.com/product/new/iContact.pkg
https://audiopodcasts.co
https://audiopodcasts.co/verify.php
https://coingotrade.com/update_coingotrade.php
https://fudcitydelivers.com
https://fudcitydelivers.com/net.php
https://lastedforcast.com
https://lastedforcast.com/list.php
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
https://sctemarkets.com
https://sctemarkets.com/net.php
rule XProtect_MACOS_b17a97e { meta: description = "MACOS.b17a97e" strings: $s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 } condition: Macho and filesize < 100KB and all of them }
160.20.147.253
185.62.58.207
2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b
326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd
36683ce8ec4ab6c07330930b523ee0d68b2b410f654a30c70250da890cfbf3c9
3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93
3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837
4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da
65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0
67.43.239.146
735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02
85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c
8783f6755fd3d478fc58040da03d056f9cad12f199ec4dcd90632c6804e0e643
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b
a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
[email protected]
d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715
e63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756
http://160.20.147.253/8443
http://185.62.58.207:443
http://67.43.239.146:443
http://applepkg.com/product/new/iContact.pkg
https://audiopodcasts.co
https://audiopodcasts.co/verify.php
https://coingotrade.com/update_coingotrade.php
https://fudcitydelivers.com
https://fudcitydelivers.com/net.php
https://lastedforcast.com
https://lastedforcast.com/list.php
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
https://sctemarkets.com
https://sctemarkets.com/net.php
rule XProtect_MACOS_b17a97e { meta: description = "MACOS.b17a97e" strings: $s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 } condition: Macho and filesize < 100KB and all of them }