The notorious hacker group Lazarus, also behind WannaCry’s extensive takeover, is trying to infect Mac users with new malware that uses file-free techniques to hide from anti-virus software. This new malware is available in memory or without infection of files containing malware so you cannot write anything to your device’s hard drive. The malicious code is loaded directly into memory and executed from there. This technique makes it difficult to find endpoint detection software because there are no files to mark.
However, there is a silver lining – malware is not completely unprinted, as in the first stage a cryptocurrency application called UnionCryptoTrader.dmg will be installed. According to VirusTotal, 17 out of 57 malware detection software can now detect it. Previously, this number was only 2 when malware was discovered earlier this week.
The Malware can Perform The Following Operations
- move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into/Library/LaunchDaemons
- Set it to be owned by root
- create a /Library/Unionrypto directory
- move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
- set it to be executable
- execute this binary (/Library/UnionCrypto/unioncryptoupdater)
This produces a binary file called Unioncryptoupdated which acts as root and can last on reboot.
The reason why researchers believe Lazarus is behind this malware is that startup bars and binaries are stored in the application’s resource directory. This is a technique that is mainly used by the Lazar group.
In his blog, Patrick Ward wrote: “Because the layout of an image in the storage process is different from the image on the hard disk, you cannot just copy the file to memory and run it directly, instead of relying on APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (managing storage allocation and preparation. “
Malicious software is usually targeted at those involved in cryptocurrency trading. Make sure you don’t install suspicious applications from the Internet to protect yourself from malware and protect yourself.