Wired reports that no Coldplay collection in the world is safe from North Korea after they use a loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace.
But what is more embarrissing for Apple is that Lazarus didn't create the loader on its own. The group seems to have found it laying around online for a long time and just recycled it to elevate their attacks.
At the RSA security conference in San Francisco former National Security Agency analyst and Jamf researcher Patrick Wardle will show a particularly compelling example of how ubiquitous and extensive malware reuse really is, even on Macs—and how vital it is to take the threat seriously.
“You take malware that someone else has created, analyse it, and then reconfigure it so you can redeploy it”, according to Wardle. “Why would you develop something new when three-letter agencies and other groups are creating just incredible malware that’s fully featured, fully tested, and a lot of times has even already been tested in the wild? The Lazarus Group programmers either Googled this or saw the presentation about it."
Researchers saw Lazarus Group using early iterations of the loader in 2016 and 2018, and the tool has continued to evolve and mature. Once Lazarus tricks a victim into installing the loader—typically through phishing or another scam—it beacons out to the attacker's server. The server responds by sending encrypted software for the loader to decrypt and run.
The loader Wardle examined is especially appealing, because it is designed to run whatever “payload” or malware, it receives directly in a computer’s random access memory, rather than installing it on the hard drive. Known as a fileless malware attack, this makes it much harder to detect an intrusion or investigate an incident later, because the malware doesn’t leave records of having ever been installed on the system. And Wardle points out that the loader, a “first stage” attack tool, is payload-agnostic, meaning you can use it to run whatever type of “second stage” attack you want on a target’s system. But Lazarus didn't come up with all these impressive tricks itself.
"All the code that implements the in-memory loader was actually grabbed from a Cylance blog post and GitHub project where they released some open source code as part of research", thinks Wardle. Cylance is an antivirus firm that also conducts threat research. "When I was analyzing the Lazarus Group loader I found basically an exact match. It's interesting that the Lazarus Group programmers either Googled this or saw the presentation about it at the Infiltrate conference in 2017 or something."
Recycled malware also has the potential to muddy attribution, as Russia's elite hackers know all to well. If a certain actor develops a trademark malware, it can be easy to assume that all activity employing that tool comes from the same group.
That anonymity is obviously a benefit for attackers, though, and one of many that come with malware reuse. That’s why Wardle emphasizes the need to keep a close eye on such recycling over time.