- Lazarus threat group’s new operation utilizes PowerShell to target Windows and MacOS systems.
- This operation is a part of the Operation AppleJeus and is ongoing since November 2018.
What is the issue - Researchers from Kaspersky observed Lazarus threat group’s new operation that utilizes PowerShell to target Windows and MacOS systems.
Why it matters - Researchers noted that the threat group’s new operation is a part of the Operation AppleJeus and is ongoing since November 2018.
The big picture
The threat group’s ongoing operation targets the staff of cryptocurrency exchanges with malicious documents that would download and install either Windows or Mac malware.
- The threat group’s custom PowerShell script communicates with the malicious C&C server and executes commands.
- Once the malware establishes a connection with the C&C server, it can upload/download files, gather host information, execute system shell command, and set sleep time.
- The malware is also capable of checking malware status, displaying current malware configuration, updating malware configuration, and exiting the malware.
Worth noting - Lazarus threat group uses various techniques to run its C&C servers such as purchasing new servers, using hacked servers, using old vulnerable servers etc.
According to server response headers, Lazarus threat group is running two different C&C servers.
- One C&C server is an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003.
- The other C&C server is a purchased instance from a hosting company and is currently used to host macOS and Windows payloads.
- The geography of the servers varies from China to the European Union.
“We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems,” researchers wrote in a blog.