Lazarus Group Goes 'Fileless'
Contents
|Malwarebytes||Airo AV|
I’ve added the sample (‘OSX.AppleJeus.C’) to our malware collection (password: infect3d)
…please don’t infect yourself!
Today, Dinesh_Devadoss posted a tweet about another Lazarus group macOS trojan:
Another #Lazarus #macOS #trojan— Dinesh_Devadoss (@dineshdina04) December 3, 2019
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
As I’d recently written about a Lazarus group first stage implant (see: “Pass the AppleJeus”), I was intrigued to analyze this sample!
We’ll see while there are some clear overlaps, this (new) sample contains a rather sophisticated capabilities, which I’ve never seen before in (public) macOS malware!
In his tweet, Dinesh kindly provided an MD5 hash:
6588d262529dc372c400bef8478c2eec which allows us to locate the sample (
UnionCryptoTrader.dmg) on VirusTotal, where it’s only flagged as malicious by two of the engines. (See: UnionCryptoTrader.dmg on VirusTotal).
From the URL provided in Dinesh’s tweet, (
https://unioncrypto.vip/) and spelunking around on VirusTotal, we can gain an understanding of the infection …
I’ve added the sample (‘OSX.AppleJeus.C’) to our malware collection (password: infect3d)
…please don’t infect yourself!
Today, Dinesh_Devadoss posted a tweet about another Lazarus group macOS trojan:
Another #Lazarus #macOS #trojan— Dinesh_Devadoss (@dineshdina04) December 3, 2019
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
As I’d recently written about a Lazarus group first stage implant (see: “Pass the AppleJeus”), I was intrigued to analyze this sample!
We’ll see while there are some clear overlaps, this (new) sample contains a rather sophisticated capabilities, which I’ve never seen before in (public) macOS malware!
In his tweet, Dinesh kindly provided an MD5 hash:
6588d262529dc372c400bef8478c2eec which allows us to locate the sample (
UnionCryptoTrader.dmg) on VirusTotal, where it’s only flagged as malicious by two of the engines. (See: UnionCryptoTrader.dmg on VirusTotal).
From the URL provided in Dinesh’s tweet, (
https://unioncrypto.vip/) and spelunking around on VirusTotal, we can gain an understanding of the infection …
IoC
104.168.167.16
55554944ee2cb96a1f5132ce8788c3fe0dfe7392
6588d262529dc372c400bef8478c2eec
8D204E5B7AE08E80B728DE675AEB8CC735CCF6E7
https://unioncrypto.vip/
https://unioncrypto.vip/update
https://www.unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN
55554944ee2cb96a1f5132ce8788c3fe0dfe7392
6588d262529dc372c400bef8478c2eec
8D204E5B7AE08E80B728DE675AEB8CC735CCF6E7
https://unioncrypto.vip/
https://unioncrypto.vip/update
https://www.unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN