Operation AppleJeus: The Lazarus Group hit cryptocurrency exchange with Mac malware

• Lazarus hackers have upgraded their malware Fallchill, enabling it to target MacOS systems.
• The Fallchill malware was embedded in a cryptocurrency trading application.

The notorious North Korean hacker group Lazarus recently targeted a cryptocurrency exchange with Mac malware in a new campaign called AppleJeus. The group has switched back to using one of its older malware, called Fallchill, which appears to have been upgraded to target MacOS systems.

According to security researchers at Kaspersky Labs, who discovered the new Lazarus campaign, this is the first time that the hacker group has distributed a Mac malware. AppleJeus was first detected after an Asia-based cryptocurrency exchange was targeted by Lazarus.

AppleJeus campaign

Lazarus upgraded the Fallchill malware to steal cryptocurrencies from both Windows and Mac users. The malware was embedded into a legitimate-looking cryptocurrency trading application called Celas Trade Pro. The malware is capable of collecting a targeted computer’s system information and sending it to the C2 server.

The Mac malware is also capable of stealing the host name, OS type and version, OS kernel type and version, as well as the system architecture.

“Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor,” Kaspersky researchers said in a report. “Lazarus group has entered a new platform: macOS. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”

It is still unclear whether Lazarus successfully compromised Celas LLC, the manufacturer of the cryptocurrency trading application. Lazarus has previously successfully targeted multiple supply-chain companies, indicating that a compromise may be likely.

“From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” Kaspersky researchers said. “Sounds logical: if one cannot compromise a supply chain, why not to make fake one?”