New Lazarus Group MacOS Malware Found

Walden Systems Geeks Corner News New Lazarus Group MacOS Malware Found Rutherford NJ New Jersey NYC New York North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Researchers found a new MacOS malware that can execute remote code in memory. Researchers think the Lazarus Group is behind it. The MacOS trojan hides behind a fake crypto trading platform called Union Crypto Trader and can elude detection by most anti-virus software. Security researcher Patrick Wardle believes this is the work of the Lazarus Group due to the delivery method of the trojan, through a crypto-currency installer package, UnionCryptoTrader.pkg.

Lazarus Group has been known to target users or administrators of crypto-currency exchanges. Their method of infecting such targets is through fake crypto-currency company and trading applications. The newly discovered attack follows a similar pattern, with the installer being hosted on a website called unioncrypto.vip that advertises a cryptocurrency arbitrage trading platform but provides no download links.


The malware can remotely download and execute payloads directly from memory on MacOS. Once enabled, the installer executes a postinstall script at the end of the installation process, which is used to persistently install a launch daemon. The script will: move a hidden plist, .vip.unioncrypto.plist from the application’s Resources directory into /Library/LaunchDaemons. It then sets it to be owned by root and creates a /Library/UnionCrypto directory. It then moves a hidden binary, .unioncryptoupdater, from the application's Resources directory into /Library/UnionCrypto/. Finally, it sets it to be executable and executes this binary.

The Lazarus’ latest malware won't affect the average Mac user and doesn't have to worry about it. Since the installer package is unsigned, MacOS will warn users if they attempt to open it.