Same threat, a new package and a modified modus operandi — that’s probably the best way to describe the new “AppleJeus” malware. It is engineered to stealthily infiltrate macOS systems, disguised as a legitimate trading app, and will wreak havoc if they deem the infected machines worth pursuing.
According to the experts at Kaspersky Lab’s Global Research and Analysis Team (GReAT), “Operation AppleJeus” is a handiwork of the Lazarus Group, a notorious hackers-collective with alleged ties to the North Korean government. The group is believed to be behind a number of high-profile breaches in the past and is known to be motivated by financial objectives.
New Malware by Lazarus Group Targets macOS
The researchers at GReAT came across AppleJeus while investigating a security breach in a cryptocurrency exchange. Upon further analysis, they figured that the malware has been designed specifically to attack systems running Apple’s macOS. One of the primary targets of the malware seems to be cryptocurrency exchanges.
Considering that it is the first-of-its-kind malware by Lazarus Group that specifically targets macOS, it is very likely that the group might be trying to move on to a much broader range of target platforms. There could also be a Linux variant of AppleJeus, the GReAT report noted. If true, this would imply that the infamous hackers-collective is focusing on building different versions of the same malware to minimize compatibility issues and maximize damage.
Kaspersky Labs has cautioned that this should be treated as a wake-up call by all non-Windows platforms.
A Well-Disguised Threat
The most alarming aspect about AppleJeus is that it piggybacks on a seemingly legitimate trading app called Celas Trade Pro. The publisher of the app, Celas Limited, has a valid digital certificate to sign software and legit-looking registration details for its domain.
However, further investigation revealed that the address provided by the company is actually bogus and doesn’t host any business by the name of Celas Limited. That was possibly the first major clue, and as the researchers looked at Celas Trade Pro’s code, they found something even more unsettling.
How Does AppleJeus Infect Its Targets?
According to the report, once a user downloads and installs Celas Trade Pro on their computer running macOS, the app stealthily installs a hidden “autoupdater.”
Now, autoupdaters are a fairly common module in most apps. Usually, they are tasked with automatically searching for and downloading newer versions of the app with appropriate user permission.
However, in the case of Celas Trade Pro, the autoupdater is specifically programmed to collect information about the host machine before transmitting the data to a command-and-control server.
The perpetrators then intercept the data and analyze it to decide if the infected machine is worth their time. If they find it “interesting” enough, the next step involves the app secretly downloading a trojan program called FallChill. If immediate remedial steps are not taken, FallChill can provide the attackers with a practically limitless access to the infected machine, enabling them to get away with valuable financial data (or any other kind of data they want, for that matter).