The North Korean Lazarus hacker group is targeting crypto-exchanges with innovative fileless Mac malware.
The malware infects the machine in a fairly standard two stage approach. The victim is first tricked into downloading an application for a new cyptocurrency exchange called Union Crypto. The app itself establishes a simple persistent daemon process which calls home to a command and control server at regular intervals. Then it gets interesting. The data downloaded from the command and control server is not a file to be written to disk but instead a data structure which is stored in memory. Then the app uses Apple API to prepare the memory structure so the program can jump into it and continue execution.
As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it. Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).
Wardle discussed this possible method of malware design at Blackhat 2015, however this is thought to be the first time it has been detected in the wild.
With the increasing market penetration of Apple Mac and Linux systems, businesses should not make the false assumption that cyber-criminals are only targeting Microsoft Windows.