North Korean hackers suspected of creating Mac-based malware

Mac users beware. North Korean hackers appear to be developing malware that can infect your computer.

Security firm Kaspersky Lab uncovered the macOS-based malware while investigating a hack at an unnamed cryptocurrency exchange in Asia. The breach was sourced back to an email that convinced a company employee to download a third-party app for trading virtual currencies.

Unfortunately, the app was a Trojan in disguise. According to Kaspersky, it contained a malware strain known as Fallchill , which has been linked to a notorious North Korean hacking group called Lazarus. Once infected, Fallchill can secretly take over your computer to steal data or install other malicious code.

The app came from a US-based company called Celas, which specializes in secure "blockchain solutions" for the enterprise market. When you install it, the program doesn't do anything harmful. However, Kaspersky Lab noticed that it can update itself and deliver the Fallchill malware to your computer.

More From PCmag

"(The updater) acts like a reconnaissance module: first, it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server," Kaspersky Lab said. "If the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update."

The Trojan that hit the cryptocurrency exchange was installed on a PC. But during its investigation, Kaspersky noticed that the hackers had developed a Windows and Mac version of the app, both of which contained the hidden auto-updater.

"This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets macOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity," the security firm said.

As for Celas, Kaspersky suspects it's a fake company created by the North Koreans. The person who registered the Celas website domain paid for it using Bitcoin, and used a ramen shop in Chicago as its physical address. The Celas site is currently down, and it did not immediately respond to a request for comment.

In recent months, several hacking attempts on cryptocurrency exchanges and banks have been blamed on the Lazarus group. One tactic involved trying to trick Bitcoin experts into installing malware through phishing emails that pretend to offer job positions. To protect yourself, don't download apps from little-known vendors.

"Do not automatically trust the code running on your systems," Kaspersky Lab said. "Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven."

This article originally appeared on PCMag.com.