File photo – A North Korean flag flies on a mast at the Permanent Mission of North Korea in Geneva October 2, 2014. (REUTERS/Denis Balibouse/File Photo)
Mac users beware. North Korean hackers appear to be developing malware that can infect your computer.
Security firm Kaspersky Lab uncovered the macOS-based malware while investigating a hack at an unnamed cryptocurrency exchange in Asia. The breach was sourced back to an email that convinced a company employee to download a third-party app for trading virtual currencies.
Unfortunately, the app was a Trojan in disguise. According to Kaspersky, it contained a malware strain known as Fallchill , which has been linked to a notorious North Korean hacking group called Lazarus. Once infected, Fallchill can secretly take over your computer to steal data or install other malicious code.
The app came from a US-based company called Celas, which specializes in secure “blockchain solutions” for the enterprise market. When you install it, the program doesn’t do anything harmful. However, Kaspersky Lab noticed that it can update itself and deliver the Fallchill malware to your computer.
“(The updater) acts like a reconnaissance module: first, it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server,” Kaspersky Lab said. “If the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update.”
The Trojan that hit the cryptocurrency exchange was installed on a PC. But during its investigation, Kaspersky noticed that the hackers had developed a Windows and Mac version of the app, both of which contained the hidden auto-updater.
“This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets macOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity,” the security firm said.
As for Celas, Kaspersky suspects it’s a fake company created by the North Koreans. The person who registered the Celas website domain paid for it using Bitcoin, and used a ramen shop in Chicago as its physical address. The Celas site is currently down, and it did not immediately respond to a request for comment.
In recent months, several hacking attempts on cryptocurrency exchanges and banks have been blamed on the Lazarus group. One tactic involved trying to trick Bitcoin experts into installing malware through phishing emails that pretend to offer job positions. To protect yourself, don’t download apps from little-known vendors.
“Do not automatically trust the code running on your systems,” Kaspersky Lab said. “Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven.”
- North Korean hackers are targeting cryptocurrency workers
- Shared malware code links SWIFT-related breaches at banks and North Korean hackers
- North Korean hackers stole $25K worth of cryptocurrency: report
- FBI, DHS issue new alerts about North Korean hackers
- FBI, DHS issue alerts about North Korean hackers' FALLCHILL RAT and Volgmer backdoor
- America's Three Layered Antiballistic Missile Defense System Could Stop Any North Korean Nuclear Attack on the U.S.
- A fake Kim Jong-Un said hi to North Korean cheerleaders, who didn't take it well
- Sophisticated Mac OS Malware Uses Trust and Developer Certificates
- Startup Offers Up Endpoint Detection and Response for Behavior-based Malware Detection
- 4th North Korean Missile Shot Down in the Last Month? Covert Warfare in the Skies Over North Korea