Ghost Mach-O: an analysis of Lazarus’ Mac-malware innovations

2020-10-02 K7Security Labs

https://vb2020.vblocalhost.com/uploads/VB2020-Devadoss.pdf

Attachments

VB2020-Devadoss.pdf (2 MB)

Thumbnail for Ghost Mach-O: an analysis of Lazarus’ Mac-malware innovations

K7 Computing analyzes Lazarus macOS malware innovation around Union Crypto Trader and related cryptocurrency-targeting campaigns. The source describes trojanized trading applications delivered through phishing and fake websites, signed installers, post-install scripts that move LaunchDaemon persistence files and backdoors, and a MemoryBasedBundle technique that executes Mach-O code directly from memory to evade disk-based detection. It also notes malicious documents targeting Korean users whose macros deliver OS-specific payloads, showing Lazarus’ expanding macOS toolchain across Objective-C, Swift, C, QT, and fileless execution.

Indicators of Compromise

Type Value First Seen Last Seen
URL https://www.theregister.com/201… 2020-10-02 2020-10-02
URL https://threatvector.cylance.co… 2020-10-02 2020-10-02
DOMAIN threatvector.cylance.com 2020-10-02 2020-10-02

Related Actors

Related Reports

« Back