Lazarus Description

Lazarus is an old Trojan that has plagued millions of users for years. The crooks in charge of the Trojan have devised a new, fileless variant of Lazarus specifically aimed at MacOS users. The Trojan comes under the guise of a bogus cryptocurrency trading tool. The latter requires actual disk installation before bringing additional malware from a remote C&C server and inject it straight into your Mac system memory.

Infection Vector

Since the Lazarus gang touts the new macOS fileless Trojan as a cryptocurrency tool, it is no wonder that they spread it mostly via malvertising and spam email campaigns. After watching the advert, targeted users feel the nudge to go to a dedicated website dubbed unioncrypto(dot)vip, which spreads the Trojan. By way of social engineering, the crooks in charge lure unsuspecting victims into downloading a trade app disk image called UnionCryptoTrader.dmg. Before installation, macOS will trigger a warning that it cannot verify the developer of this app. If you do agree to install the unsigned app, nonetheless, you’ll let the malware install the vip.unioncrypto.plist launch daemon to acquire persistence provided you grant it root access beforehand. You will know you've got an infection if you find the Trojan's configuration file at /Library/LaunchDaemons/vip.unioncrypto.plist and its executable file at /Library/UnionCrypto/unioncryptoupdater.


That is the third time the Lazarus gang has devised a Mac-specific Trojan following the 2018 Apple.Jeus malware affair and the 2019 backdoor Trojan spread over GitHub. Since the new fileless Trojan shares a lot of code similarities with the former two malware pieces, it may inflict a similar kind of damage to the host Mac system. In the best-case scenario, the crooks at Lazarus will exploit your machine to dig coins for themselves. In case you've already acquired a certain amount of one or more digital currencies, Lazarus' new Trojan will get a grip on it all. Either way, you will experience a terrible slowdown in your Mac's processing power, which won't stop until you remove the malware effectively.


Unless you deliberately ignore the two warning signs your macOS will trigger upon installation, you are unlikely to end up with a fileless Lazarus Trojan infection. However, when disaster strikes, you should waste no time deploying a reputable anti-malware scanner to clean your Mac from that particular infection and any other potentially malicious files residing within the system.

Related Posts