Recently, researchers at the K7 Labs observed that the Lazarus APT hacker group has distributed new fileless malware to infect MacOS users and provide fake cryptocurrency trading applications. The hacker team, from North Korea, first appeared in 2009 and first used the malware in August 2018. The team has targeted various financial organizations around the world using a variety of advanced tools and technologies.
It is understood that the malware was targeted at users and administrators of cryptocurrency exchanges. In the attack, hackers lure victims into downloading malicious trading applications on fake websites. After successful installation, the app will ask the root user to enter their credentials to gain access, the purpose of which is to permanently install a background startup program.
The malware can collect information about the infected system, it also has display network and commands and control functions, and it can directly execute the payload received from memory instead of loading through files on disk.
Researchers say that it is rare for macOS malware to become fileless, and such complex features were not found in previous macOS malware, which is a sign that APT is looking for new ways to attack the Mac world.