Lazarus Group Evolves Fileless Mac Threat
Contents
Taking the fileless route was unheard of with Mac malware. Until now, that is! This blog describes a brand new fileless tactic pioneered by the infamous Lazarus cybercriminal group which should set the alarm bells ringing about the continuous and evolving threats in the Mac world.
We recently observed a Trojanized version of the UnionCryptoTrader.dmg file in the wild, which we believe is the handiwork of the Lazarus group. This sample had a solitary K7 detection at the time of writing this blog. It is a container for a Cryptocurrency trading application and a loader. The staged payload delivery mechanism used by Lazarus in this case was intriguing, the reason being that the loader had the capability to load a remote payload directly from memory rather than via a file on disk.
What first raised our eyebrows was the domain unioncrypto.vip, registered only for one year, serving a fake cryptocurrency trading application. …
We recently observed a Trojanized version of the UnionCryptoTrader.dmg file in the wild, which we believe is the handiwork of the Lazarus group. This sample had a solitary K7 detection at the time of writing this blog. It is a container for a Cryptocurrency trading application and a loader. The staged payload delivery mechanism used by Lazarus in this case was intriguing, the reason being that the loader had the capability to load a remote payload directly from memory rather than via a file on disk.
What first raised our eyebrows was the domain unioncrypto.vip, registered only for one year, serving a fake cryptocurrency trading application. …
IoC
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390