New In-Memory Mac Malware Difficult to Detect

Apple devices offer industry-leading security and malware protection, but they’re not perfect. New developments in malware create vulnerabilities that are increasingly harder to detect.

By Chand Bellur

December 8, 2019 at 1:59 p.m. PDT

North Korean Hackers Launch New In-Memory Malware

Desperate for nuclear weapons program funding, state-sponsored hackers from North Korea have been hiding malware in cryptocurrency apps for years. The malware siphons off cryptocurrency, depositing it in North Korean hands, which is then used to fund the despotic regime.

Their latest attempt to steal funds is much more sophisticated. North Korean hackers have figured out a way to keep malware undetectable by hiding it in-memory. It’s done in a manner that persists between reboot cycles.

New Malware Binds to macOS with API Calls

The new malware is distributed through a cryptocurrency application, which can be side loaded onto macOS through the Web. Malicious code will not be installed simply by visiting a website. Infected machines opt in to installing sketchy software, which most people would avoid.

If you’re on the bleeding edge of cryptocurrency, you want to double check that any apps you install are legit. The app in question was not signed by a developer, and macOS raised the appropriate warning. If you download apps outside of the AppStore, make sure they come from a reputable developer.

The current infection process starts when a user downloads and runs a file called UnionCryptoTrader.dmg. Apart from a dire warning from macOS, the installer looks like any other macOS app. Even today, with this malware being known, most anti-malware apps can’t detect it.

Once installed, the malware uses a rather clever process to stay hidden from security software and experts alike. According to macOS security expert Patrick Wardle, the following steps are executed:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The final result of this process is that “unioncryptoupdater” is installed as a persistent in-memory process. From here, it can survive reboot cycles.

The process itself isn’t the entire payload. Using a remote API call, the in-memory process is able to execute code from an external Internet source. This allows the hackers to alter the payload as they see fit. It’s a remarkably flexible form of malware, with an in-memory stub permanently installed on the infected machine. From here, hackers can run a variety of payloads. They essentially created an almost-invisible back door into your Macintosh.

How to Avoid and Fix Unioncryptoupdater Malware

The best way to avoid the unioncryptoupdater malware is to avoid apps that raise warnings. If macOS is telling you an app may be dangerous, don’t install it. Many popular macOS apps, such as Ableton Live 10, are not sold in the App Store. Apps like this are clearly not malware. When installed, macOS gives the user a soft warning, but since the code is signed by a legitimate developer, it’s a safe app.

If you install UnionCryptoTrader.dmg from some dubious cryptocurrency website, macOS will issue dire warnings. Listen to your Mac. Don’t install malware.

If UnionCryptoTrader.dmg has already infected your machine, you should take it into the Apple Store or a cyber security expert. You can check if your Mac is infected by searching for the following file: /Library/LaunchDaemons/vip.unioncrypto.plist. If this file is on your system, you’re likely infected.

The good news is that security experts have scared off the North Korean hackers, for now. They took down the remote piece of the exploit, which renders the payload ineffective. Unfortunately, they can re-deploy the remote payload when people move on and forget about this malware.

In general, it’s never a good idea to download software from unknown sources. macOS warns users about software from untrusted developers. Heed the warnings, and you will be fine. Although macOS is an extremely secure operating system, those who wish to step outside of Apple’s walled garden should proceed with care.

Leave a comment

Your email address will not be published.