By Gabrielle Joyce Mabutas
Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.
Similarities to an earlier Lazarus iteration
We analyzed a malicious sample first discovered by Twitter user cyberwar_15, and found that it used an Excel document with an embedded macro, which is similar to a previous attack by the Lazarus group.
Figure 1. The spreadsheet displays a fairly known psychological test (similar to one found here); clicking on the smiley image on the top left shows a different response depending on the user’s answer.
However, unlike the previous attack that contains a different routine based on the OS the spreadsheet is running on, the macro in this file will just run a PowerShell script that connects to three C&C servers set up by the group:
Figure 2. The macro file connects to hxxps[:]//crabbedly[.]club/board[.]php, hxxps[:]//craypot[.]live/board[.]php, and hxxps[:]//indagator[.]club/board[.]php.