The Lazarus group, which has been named as one of North Korea's state-sponsored hacking teams, has been found to be using new tactics to infect macOS machines.
Dinesh_Devadoss, a threat analyst with anti-malware merchant K7 Computing, took credit for the discovery and reporting of what is believed to be the Lazarus group's first piece of in-memory malware on the Apple operating system.
Installing Lazarus on a Mac is unfortunately not as easy as e.g. On Windows, the Lazarus installation contains all necessary prerequisites. This is not the case on Mac OS X, where several other tools are needed: XCode the development environment of Mac, which contains some command-line tools. Gdb The gnu debugger. Lazarus is a Delphi compatible cross-platform IDE for Rapid Application Development. It has variety of components ready for use and a graphical form designer to.
In-memory infections, also known as fileless malware, operate entirely within the host machine's volatile RAM. This allows the software nasty to avoid setting off any antivirus systems that monitor files in storage or otherwise don't regularly scan all of system memory for threats
The malware sample found by Dinesh_Devadoss was dissected this week by Mac security guru Patrick Wardle, who says that the attack is a new spin on the classic Lazarus group tactic for slipping its malware onto the machines of unsuspecting users; by not installing any files during the secondary stage of the attack where the actual malicious activity occurs.
As with other infections from the Lazarus group, the attack begins as a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. This portion of the attack is similar to the previous 'applejeus' malware.
![Lazarus for mac Lazarus for mac](https://static.giantbomb.com/uploads/square_small/8/87790/2844926-diablo.jpg)
After the trojan is launched, however, the malware shows off its new trick: the secondary payload, the one where the actual spying or data theft would occur, can be performed in-memory without having to install further files on the hard drive.
Lazarus For Macos
Lazarus Group rises again from the digital grave with Hoplight malware for all
READ MORETo do this, Wardle says, the malware first downloads and decrypts the payload, then, using macOS API calls, creates what is called an object file image. This lets the malicious package run in memory just as it would were it installed locally.
'As the layout of an in-memory process image is different from it’s on disk-in image, one cannot simply copy a file into memory and directly execute it,' Wardle said. 'Instead, you must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of the mapping and linking).'
So far, there is no indication as to precisely what Lazarus group plans to do with its new toy.
Lazarus Download For Mac
'At this time, while the remote command & control server remains online,' Wardle explained, 'it simply it responding with a '0', meaning no payload is provided.'
Lazarus Macy's
If the history of Lazarus group is any indication, however, the malware will likely have some sort of financial or government use to help fill the North Korean regime's coffers. ®
Lazarus Mac 64 Bit
Get ourTech Resources