Security researcher Dinesh Devadoss tweeted their discovery of the malware yesterday. A detailed analysis of the malware can be read here.
Contains code: Loads Mach-O from memory and execute it / Writes to a file and execute it@patrickwardle @thomasareed pic.twitter.com/Mpru8FHELi — Dinesh_Devadoss (@dineshdina04) December 3, 2019 The malware masquerades as a cryptocurrency arbitrage platform, a service typically used to take advantage of price discrepancies across other digital asset exchanges. According to researchers, the malware is designed to retrieve a payload from a remote server and then run it in the infected machine’s memory. Bleeping Computer reports that the malware goes virtually undetected by VirusTotal. Researchers also say that there are some “clear overlaps” with another malware called AppleJeus distributed by Lazarus. If you haven’t heard that name before, where have you been? Lazarus are nortorious for launching high value attacks going after cryptocurrency hoards. Last year, Hard Fork reported that the hacking group had stolen more than $570 million worth of cryptocurrency across five attacks. The malicious package, named UnionCryptoTrader was hosted on the fake arbitrage platform’s website. The malware is programmed to run on each system reboot and collect information about the system’s serial number and OS version. It might sound worrisome, however, the remote command and control server isn’t responding with a malicious payload. Either something is on the way, or the hacking group responsible for this malware is testing its techniques for future attacks. As Bleeping Computer points out, exectuing a file in memory is a rare strategy for macOS -based systems and it’s just starting to gain popularity. Luckily, this one has been spotted before anything too nefarious has happened. Update your malware definitions, stat! H/T – Bleeping Computer