A new macOS Trojan has been uncovered, which, researchers believe, was developed by the Lazarus hacking group. The malware has been analyzed by Patrick Wardle.
However, it was discovered by another security researcher, Dinesh Devadoss, who shared his findings in a tweet. Devadoss also provided a hash for the malware sample.
The sample is packaged as UnionCryptoTrader, and was hosted on a website known as unioncrypto.vip, advertised as a smart cryptocurrency arbitrage trading platform.
New macOS Trojan Analyzed by Patrick Wardle
According to Wardle’s analysis, the malware has a postinstall script that installs the vip.unioncrypto.plist launch daemon to achieve persistence. This script is designed to:
-move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons-set it to be owned by root-create a /Library/UnionCrypto directory-move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/execute this binary (/Library/UnionCrypto/unioncryptoupdater)
„Though installing a launch daemon requires root access, the installer will prompt the user for their credentials. Thus, once the installer completes, the binary unioncryptoupdater will both currently executing, and persistently installed,“ Wardle said.
The hidden unioncryptoupdater binary will run each time the system is rebooted, and this is done by setting its RunAtLoad key to true. The binary can also collect basic system information, including serial number and OS version ..
Support the originator by clicking the read the rest link below.
