New fileless malware for MAC is undetectable

A new report revealed by digital forensics specialists claims that hackers that make up the dangerous Lazarus group are trying to inject a new fileless Trojan into victims’ devices on thousands of computers with operating system Apple macOS; to complete the attack, the hackers would be using a fake cryptocurrency exchange app.

The discovery was reported by the specialist Dinesh Devadoss, from research and security firm K7 Computing; Devadoss in turn shared his finding to Mac security expert Patrick Wardle, who claims to have seen similar attacks before. According to Wardle, the 2018 malware identified as Apple.Jeus also used a cryptocurrency app to attract enthusiasts and steal virtual assets.

To make these applications seem more reliable, hackers resorted to a well-known trick: creating fake software companies that use legitimate certificates. In both cases, everything points to the perpetrators belonging to the dangerous Lazarus hacker group, mention the digital forensics specialists.

Wardle identified this new Trojan as OSX.AppleJeus.C, and claims it follows the same mode of operation as its predecessor except for a new feature: running into memory as a fileless payload. As the name suggests, fileless malware skips writing to disk to evade detection of signature scanners, limiting its presence to main memory.

Once in memory, the malware tries to take control of some legitimate processes on the target system, such as Windows PowerShell and some scripting tools. In the most recent campaign, digital forensics experts detected that the cryptocurrency app is responsible for initiating the infection, taking Apple’s API calls to create a harmless-looking object file image that is written to disk to generate persistence.

Thereafter, the malware can survive on main memory, calling a remote server to receive any payload sent by the threat actors.

Although it looks like a really dangerous attack it depends heavily on user interaction, because for the infection to complete the user must still ignore at least two macOS warnings:

  • The installer is not signed
  • The malware installer requires the user to enter a password to gain root access

In addition, the target user is required to install an unsigned application, which is a terrible idea for any user.

According to the digital forensics specialists of the International Institute of Cyber Security (IICS) there are multiple additional security tools to the macOS operating system that will help any user, whether they’re cryptocurrency enthusiast or if they use their Apple devices for regular tasks.