Kaspersky Lab: North Korea Hacks Cryptocurrency Exchange With ‘First’ macOS Malware

North Korean hackers have infected a cryptocurrency exchange with malware for both Windows and macOS for reportedly the first time, Russian internet security company Kaspersky Lab announced Thursday, August 23.

In Kaspersky’s report, the company reveals the malware — dubbed “AppleJeus” — made its way into the systems of an unnamed exchange after an employee downloaded a “tainted” app. Kaspersky now believes the app came from a fake developer with fake security certificates in a major operation by North Korean hacker collective Lazarus Group.

The malware aimed to steal cryptocurrency funds, Kaspersky claims, in what marks the latest in a spate of both successful and failed attempts by North Korea in the crypto hacking space.

Kaspersky’s report states that in order to “ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS,” noting:

“A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.”

South Korean exchanges have traditionally been the targets for Lazarus, with a rash of complaints surfacing with regard to attacks on platforms such as Bithumb, YouBit, and Coinlink.

Speaking to Bleeping Computer, Vitaly Kamluk, head of Kaspersky’s GReAT APAC team, added:

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation.”

In early July, a group of security researchers had discovered macOS malware attacks targeting Slack and Discord users talking about cryptocurrencies, with hackers  impersonating “key people” in crypto-related chats and then sharing “small snippets” that are downloaded and execute a malicious binary.

Retrieved from