Hackers supposed to work for the North Korean government have upped their game with a recently discovered Mac trojan that applications in-memory execution remain too stealthy.
In-memory execution, also known as fileless infection, never writes anything on a computer hard drive. Instead, malicious code loads directly into memory and runs it from there. The technique is an effective way to dodge antivirus protection because there is no file that needs to be analyzed or marked as suspicious.
In-memory infections were once the only province of state-sponsored attackers. In 2017, more advanced financially motivated hackers had adopted the technique. It has since become increasingly common.
The malware is not completely fileless. The first phase presents itself as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two of the 57 antivirus products were discovered to be suspicious. Friday according to VirusTotal, detection was only slightly improved, with 17 out of 57 products marking.
Once executed, the file uses a post-installation binary which, based on a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:
- move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory in / Library / LaunchDaemons
- set it to be root property
- create a folder / Library / UnionCrypto
- move a hidden binary (.unioncryptoupdater) from the Resources directory application in / Library / UnionCrypto /
- set it as executable
- implement this binary (/ Library / UnionCrypto / unioncryptoupdater)
The result is a malicious binary called unioncryptoupdated that runs like root and has “persistence”, meaning it survives reboots to ensure it runs constantly.
Wardle said the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique similar to Lazarus, the name many researchers and intelligence agencies use for a North Korean hacking group. Another piece of Mac malware, called AppleJeus, did the same.
Another feature that is consistent with North Korean involvement is the interest in cryptocurrencies. As the US Treasury Department reported in September, industry groups have evidence that North Korean hackers have transferred hundreds of millions worth of dollars’ cryptocurrencies in an effort to unearth the country’s nuclear weapons development programs.
Start in memory
It is around this point in the infection chain that the fileless execution begins. The infected Mac starts contacting a server at hxxps: (.) // unioncrypto vip / update to check for a second stage payload. If one is available, the malware downloads and decodes and uses MacOS programming interfaces to create what is known as the file object. The image sets the malicious charge to run in memory without ever touching the hard drive of the infected Mac.
“If the layout of an image in the memory process is different from the one on disk-in image, one can not only copy a file in memory and execute it directly,” Wardle wrote. “Instead, one should call API such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”
Wardle was unable to obtain a copy of the second phase of the payload, so it is not clear what it does. Given the theme of cryptocurrency in preoccupation the file and domain names – and North Korean hackers’ with stealing digital coin – it’s a decent bet for the follow-up infection to be used to access portfolios or similar assets.
When Wardle analyzed the malware earlier this week, the control server at hxxps: (.) // unioncrypto vip / was still online, but it was responding with a 0, which signaled to infected computers that there was no additional load capacity was available. The domain no longer responded to pings on Friday.
Patrick Wardle
While fileless infections are a further indication that Lazarus is growing more adept at developing insidious malware, AppleJeus.c, as Wardle called the recently discovered malware, is still easy for users to track. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning on the right.
As usual when installing applications, macOS also requires users to enter their Mac password. This is not automatically a tip that something suspicious is happening, but it does prevent the first phase from being installed via drive-bys or other covert methods.
It is unlikely that anyone outside of a cryptocurrency exchange would be the target of this malware. Those who want to check can look for the presence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the ongoing process or binary / Library / UnionCrypto / unioncryptoupdater.