When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncryptovip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. Given the theme of cryptocurrency in the file and domain names-and North Korean hackers’ preoccupation with stealing digital coin-it’s a decent bet the follow-on infection is used to access wallets or similar assets. Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).” “As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The infected Mac begins contacting a server at hxxps://unioncryptovip/update to check for a second-stage payload. It is around this point in the infection chain that the fileless execution starts. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars' worth of cryptocurrencies from exchanges in an attempt to fund the country's nuclear weapons development programs. Another piece of Mac malware, dubbed AppleJeus, did the same thing.Īnother trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. ![]() Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |