Ghost Mach-O: an analysis of Lazarus’ Mac-malware innovations
Contents
30 September - 2 October, 2020 / vblocalhost.com
GHOST MACH-O: AN ANALYSIS OF LAZARUS’
MAC-MALWARE INNOVATIONS
Dinesh Devadoss
K7 Computing, India
[email protected]
www.virusbulletin.com
GHOST MACH-O: AN ANALYSIS OF LAZARUS’ MAC-MALWARE INNOVATIONS DEVADOSS
ABSTRACT
The infamous Lazarus APT group, also known as Hidden Cobra, has constantly been upgrading its arsenal and techniques,
even able to orchestrate a living-off-the-land attack recently. In this campaign the group used a brand new fileless
technique, a first in the Mac universe, attracting a lot of attention from the cybersecurity community.
The technique is actually very interesting. The Lazarus trojan loader component used MemoryBasedBundle, which allows
Mach-O code to be executed directly from memory rather than from a file on disk, thereby evading disk-based file object
detections by Mac AV.
In this paper we will demystify this novel fileless technique, analysing how and why it works. In order to provide the
context for increasing Lazarus sophistication, we will discuss the group’s various campaigns that targeted cryptocurrency
exchanges and other financial institutions. In …
GHOST MACH-O: AN ANALYSIS OF LAZARUS’
MAC-MALWARE INNOVATIONS
Dinesh Devadoss
K7 Computing, India
[email protected]
www.virusbulletin.com
GHOST MACH-O: AN ANALYSIS OF LAZARUS’ MAC-MALWARE INNOVATIONS DEVADOSS
ABSTRACT
The infamous Lazarus APT group, also known as Hidden Cobra, has constantly been upgrading its arsenal and techniques,
even able to orchestrate a living-off-the-land attack recently. In this campaign the group used a brand new fileless
technique, a first in the Mac universe, attracting a lot of attention from the cybersecurity community.
The technique is actually very interesting. The Lazarus trojan loader component used MemoryBasedBundle, which allows
Mach-O code to be executed directly from memory rather than from a file on disk, thereby evading disk-based file object
detections by Mac AV.
In this paper we will demystify this novel fileless technique, analysing how and why it works. In order to provide the
context for increasing Lazarus sophistication, we will discuss the group’s various campaigns that targeted cryptocurrency
exchanges and other financial institutions. In …