In March of 2019 Kaspersky published an article about the Lazarus APT group continued targeting of financial entities. Their report noted that this new campaign being tracked was targeting both Windows and macOS users. The campaign used both malicious powershell scripts on windows as well as macOS specific malware. Recently new versions of the previously reported macOS malware have been identified and are being distributed via a fake photo album viewing application.
The malware dropper extracts the backdoor binary from itself and attempts to save it to the user’s home directory. It then tries to persist by installing a launch agent into the user’s ~/Library/LaunchAgents directory. Next it executes the backdoor application. After dropping and executing the backdoor payload the malware will execute a hidden binary so that the end user thinks the photo album application is running properly. You can see the process tree and TTPs for the malware dropper below:
The backdoor malware will attempts to contact a list of C2 servers over HTTPS and run perpetually waiting for commands. It can collect host information, upload and download files as well as execute arbitrary shell commands.
TID | Tactic | Description |
---|---|---|
T1152 | Defense Evasion, Execution, Persistence | Launchctl |
T1159 | Persistence | LaunchAgent |
T1005 | Collection | Data from Local System |
T1105 | Command And Control, Lateral Movement | Remote File Copy |
T1071 | Command And Control | Standard Application Layer Protocol |
Indicator | Type | Context |
---|---|---|
735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02 | SHA256 | OSX.Yort Dropper Sample |
6f7a5f1d52d3bfc6f175bf2bbb665e4bd99b0453e2d2e27712fe9b71c55962dc | SHA256 | OSX.Yort Sample |
crabbedly[.]club | DNS | C2 server |
craypot[.]live | DNS | C2 server |
indagator[.]club | DNS | C2 server |
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.