Fraud Management & Cybercrime,
Malware as-a-Service
Lazarus Group Enhances Cross-Platform Malware Efforts Targeting macOS Users
Recent developments indicate that hackers pursuing cryptocurrency are increasingly targeting macOS users. A report by Trellix, a vendor specializing in endpoint detection and response, highlighted a nearly 60% increase in the detection of macOS-specific threats over the last ten months. This surge correlates with the rising incidents of attacks against Mac systems, prompting the company to enhance its detection capabilities accordingly.
These threats encompass malware attacks and preemptive phishing campaigns, along with activities involving AppleScript, file and directory reconnaissance, and data exfiltration. Although the notion that “the sky isn’t falling” for Mac users persists, the landscape of threats has shifted significantly, particularly concerning cryptocurrency.
North Korea remains a primary adversary in the cryptocurrency threat landscape. The country’s Lazarus Group is known for its relentless pursuit of digital currencies to sustain its regime, evade international sanctions, and fund weapons development. Historically, the emphasis on Windows over macOS for cybercriminal activities can be attributed to the sheer volume of Windows users, holding 73% of the desktop OS market compared to macOS’s 15% as reported by StatCounter.
However, as macOS gains traction in corporate environments—particularly among users in roles with extensive access privileges—criminal interests are beginning to shift. Key personnel like developers and executives using macOS can present lucrative targets for attackers seeking to exploit their access for fraudulent activities, as detailed by Trellix.
The rise of cross-platform programming languages, such as Python and Rust, has made it easier for hackers to develop malware that can easily operate across different operating systems. The Lazarus Group exemplifies this adaptation, as they have increasingly utilized these languages to streamline their attack strategies. Notably, the RustBucket backdoor—a cross-platform threat—marks an expansion of their operational focus towards Mac users.
Information-stealing malware targeting macOS has also escalated. The transformation of Xloader, originally targeting Windows, into a macOS variant indicates an evolving threat landscape. Other malicious programs, such as Atomic Stealer and Cuckoo Stealer, have been identified, showcasing a diverse array of espionage capabilities aimed at exfiltrating sensitive information.
Attack tactics likely employed align with the MITRE ATT&CK framework’s categories, including initial access through social engineering, persistence via malware deployment, and privilege escalation aimed at maximizing the potential for data compromise. The exploitation of vulnerabilities in existing applications and software supply chains further highlights the sophistication of these efforts, as evidenced by recent incidents involving malware disguising itself as legitimate code within open-source repositories.
Although macOS remains a less frequent target compared to Windows, users—especially those involved with cryptocurrency—must remain vigilant. Given the evolving nature of threats and the increasing ease with which attackers can penetrate macOS systems, maintaining robust cybersecurity practices is essential for safeguarding sensitive assets.
