Weaponizing a Lazarus Group Implant
Contents
|Malwarebytes||Airo AV|
I’ve added the sample (‘OSX.AppleJeus.C’) to our malware collection (password: infect3d)
…please don’t infect yourself!
Recently a new piece of macOS malware was discovered:
Another #Lazarus #macOS #trojan— Dinesh_Devadoss (@dineshdina04) December 3, 2019
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
In a previous blog post I analyzed this intriguing specimen (internally named
macloader), created by the (in)famous Lazarus group.
This post highlighed its:
Persistence:
/Library/LaunchDaemons/vip.unioncrypto.plist ->
/Library/UnionCrypto/unioncryptoupdater
Command and Control (C&C) Server:
https://unioncrypto.vip/update
Capabilities:
The in-memory execution of a remotely downloaded payloads.
For a full technical analysis of the sample, read my writeup: “Lazarus Group Goes ‘Fileless’”
While many aspects of the malware, such as its (launch daemon) persistence mechanism are quite prosaic, its ability to directly execute downloaded (“2nd-stage”) payloads directly from memory is rather unique. Besides increasing stealth and complicating forensics analysis of said payloads (as they never touch the file-system), it’s just plain sexy!
It also makes for the perfect …
I’ve added the sample (‘OSX.AppleJeus.C’) to our malware collection (password: infect3d)
…please don’t infect yourself!
Recently a new piece of macOS malware was discovered:
Another #Lazarus #macOS #trojan— Dinesh_Devadoss (@dineshdina04) December 3, 2019
md5: 6588d262529dc372c400bef8478c2eec
hxxps://unioncrypto.vip/
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi
In a previous blog post I analyzed this intriguing specimen (internally named
macloader), created by the (in)famous Lazarus group.
This post highlighed its:
Persistence:
/Library/LaunchDaemons/vip.unioncrypto.plist ->
/Library/UnionCrypto/unioncryptoupdater
Command and Control (C&C) Server:
https://unioncrypto.vip/update
Capabilities:
The in-memory execution of a remotely downloaded payloads.
For a full technical analysis of the sample, read my writeup: “Lazarus Group Goes ‘Fileless’”
While many aspects of the malware, such as its (launch daemon) persistence mechanism are quite prosaic, its ability to directly execute downloaded (“2nd-stage”) payloads directly from memory is rather unique. Besides increasing stealth and complicating forensics analysis of said payloads (as they never touch the file-system), it’s just plain sexy!
It also makes for the perfect …
IoC
192.168.0.2
6588d262529dc372c400bef8478c2eec
ca57054ea39f84a6f5ba0c65539a0762
https://allyourbase.belong/
https://unioncrypto.vip/
https://unioncrypto.vip/update
6588d262529dc372c400bef8478c2eec
ca57054ea39f84a6f5ba0c65539a0762
https://allyourbase.belong/
https://unioncrypto.vip/
https://unioncrypto.vip/update