Researchers have discovered the advanced persistent threat group Lazarus using AppleJeus, a new malicious operation. While assisting with incident response efforts in previous attacks from the group, researchers unexpectedly identified an attacker penetrating the network of a cryptocurrency exchange in Asia. The attacker used Trojanized cryptocurrency trading software, with the reported goal of stealing cryptocurrency from victims.
A previously unidentified version of a Windows-based malware was targeting the macOS platform, according to today’s press release. The group was able to compromise the stock exchange’s infrastructure by bamboozling an unsuspecting employee into downloading a third-party application from a specious website.
“The application’s code is not suspicious, with the exception of one component – an updater. In legitimate software, such components are used to download new versions of programs,” Kaspersky wrote in the press release.
“In the case of AppleJeus, it acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update.”
Though the operation looks similar to a supply-chain attack, it is reportedly not, because the vendor of the cryptocurrency trading software has a valid certification for signing its software and legitimate registration records for the domain.