According to her researchers Kaspersky, who analyzed them attacks made by the team Lazarus over the past 18 months, it has been confirmed that the North Korean-related group is primarily targeting cryptocurrency transactions.
As experts have discovered security in mid-2018, the team targeted cryptocurrency companies and transactions through a campaign called Operation AppleJeus, which aimed to deploy an infected cryptocurrency trading application.
Following the release of Operation AppleJeus, the Lazarus team launched further attacks against cryptocurrency companies, using similar tactics. Researchers identified more malware similar to Operation AppleJeus.
The three macOS installers analyzed by Kaspersky use a similar scenario after installation and when executing the second phase payload. However, the researchers noticed a different kind malware macOS, the MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), created on 12-03-2019.
Malware does not have an encryption / decryption routine for network communication, which indicates that it is still under development.
Recently, Kaspersky detected a new macOS malware that used a malicious application called UnionCryptoTrader. The version of Windows for the same malware is running from its file download folder Telegram.
Some of the payloads were executed in memory, with the backdoor payload being delivered to the final step of the attack chain.
Kaspersky identified several victims of AppleJeus, most of them in the United Kingdom, Poland, Russia and China, with experts pointing out that many of them are affiliated with cryptocurrency business entities.