New Malware Sheds Light on How Cryptocurrency Exchanges Get Hacked

The new malware operates under the guise of a client-side trading software called “JTM Trading Software” and appears to be operated by the infamous North Korean Lazarus APT Group. It is primarily distributed to unsuspecting victims over email. In order to make the operation seem more authentic, those behind the malware even fabricated an entire company known as “Celas Trade Pro” and developed a convincing-looking website and GitHub profile to help quell suspicions surrounding the software.

An Older Trojan, Just Repurposed

After installing the base application, a script would then run to install a backdoor on the user’s system. This backdoor would be executed every time the computer is restarted, ensuring it is always operating in the background. As for exactly what the backdoor does, it appears that it allows a remote attacker to execute hidden shell commands on the user’s system, which could allow the attacker to easily exfiltrate data to a remote server (IP: 185.228.83.32), snoop on the current state of the infected system and possibly install additional malware silently. According to the report by Objective-See, the malware appears to be built on the code of a previously detected unnamed backdoor and is likely produced by the same North Korean malware team known as Lazarus.

“The ability to remotely execute commands, clearly gives a remote attacker full and extensible control over the infected macOS system!” notes security researcher Patrick Wardle (Objective-See).

What is particularly worrying about JTM Trading software is that up until just days ago, the malware was completely undetectable by most popular antiviruses, while according to VirusTotal, two-thirds of antiviruses still fail to recognize its malicious behavior.

macOS Users Under The Crosshair

The new attack is rare among exploits since it only targets devices running macOS—arguably one of the most secure operating systems in use today. However, since Apple’s Gatekeeper software ensures that macOS users can only easily install apps from trusted vendors, or are required to manually confirm that they wish to open untrusted apps through a multi-step process that warns users against doing so every step of the way. In order to avoid this issue, MacOS software providers will need to be part of the Apple Developer Program or Apple Developer Enterprise Program, which will allow them to develop a Developer ID certificate and sign their software with it, before submitting it for notarization by Apple. However, phony companies distributing virus-laden software will almost certainly fail to obtain a Developer IP certificate, which means any malware distributed to a target victim will need to be manually installed. Like its predecessor, it appears the new malware is targeted at those with access to the back-end of cryptocurrency exchanges. After installation, the malware would likely be used for stealing private keys and access details, which could then be used to drain the exchange coffers. As of yet, it is unclear whether anybody has been successfully fooled by the attack. Speaking of which, recently, BeInCrypto reported on a cybersecurity firm that found some malware that utilizes Bitcoin script. Do you think the same hacking group could be behind some of the recent exchange hacks? Let us know your thoughts in the comments below!

---

Images are courtesy of Shutterstock.