back to article In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware

Malware hunters are sounding the alarm over a new, more effective version of the North Korean "Apple Jeus" macOS software nasty. The team at Kaspersky Lab's Global Research and Analysis Team has dissected what they say is a 'sequel' to the 2018 outbreak that targeted users on cryptocurrency sites for account theft. Believed …

  1. alain williams Silver badge

    "Believed to be operating out of North Korea"

    is there real evidence ?

    I ask as this is highly political and it would serve several politicians well to be able to point fingers at the NORKs and say "nasty, dangerous". The trouble is that, unfortunately, I trust our politicians & their lackeys less & less - just look at Boris & Trump.

    Flinging out malware & blaming someone else would be a good wheeze for all sorts of spooks & governments.

    I am not saying that Kim Jong-un is a saint, but I doubt that he is the source of all evil.

    1. doublelayer Silver badge

      Re: "Believed to be operating out of North Korea"

      Attribution is hard. It's. possible that someone's been framing North Korea for an unspecified length of time, and they either are responsible for everything attributed to that country or are very good at mimicking characteristics of their malware to do the framing. If so, they're really good at fooling everybody. However, we've seen what it's like when people try to blame North Korea--someone who is probably Russia but theoretically could be someone else tried to do that a couple years ago, and they didn't stay hidden for very long.

      As for solid proof, there are several types. The basic type of having found assets in the malware relating in some way to North Korea applies to most of them, but could obviously be faked given some effort. This runs from the simple string frequently used there to a network address that has been operated by Pyongyang interests at some point. There is also the tactic of code comparison. If a group uses a similar module (similar in the sense of similar compiled code) that was previously reliably attributed to North Korea, then it's probably North Korea doing it again. They're the only ones with the source, so it's extremely unlikely that someone went to the effort of reverse engineering their codebase just so they'd produce similar binaries. And finally, we can have extra confidence in some of these tactics because there are some pieces of malware to which the North Korean government has admitted. Using these tactics, researchers who have spent years looking at malware from different groups can do a reasonably good job of telling when one of those groups spins up again. Nothing is guaranteed, and attribution is very tricky, but don't presume they don't know what they're talking about.

    2. Anonymous Coward
      Anonymous Coward

      Re: point fingers at the NORKs and say "nasty, dangerous".

      North Korea has an extraordinarily unpleasant and repressive government - "writing malware" is not obviously something one might need to put very high on a list of "nasty, dangerous" things they do.

    3. Alumoi Silver badge

      Re: "Believed to be operating out of North Korea"

      Believing does not need evidence. See religion.

      1. Phil O'Sophical Silver badge

        Re: "Believed to be operating out of North Korea"

        Believing does not need evidence. See religion.

        Believing without evidence is Faith. Religion is when Faith is exploited.

        1. Alumoi Silver badge

          Re: "Believed to be operating out of North Korea"

          Wow, much better. Mind if I use it?

  2. the Jim bloke Silver badge

    legitimate cryptocurrency trading app

    Maybe not a full oxymoron, but it does get the cognitive dissonance jangling

    or it could be lack of sleep.

  3. steviebuk Silver badge


    ... Apple's don't get virus' so the hipster fans keep blindly believing.

    1. MiguelC Silver badge

      Re: But...

      Of cours not!

      Apples only get worms, as any fule kno!

    2. katrinab Silver badge

      Re: But...

      “Masquerading as a legitimate currency app” suggests it requires user action to install, and no amount of security can stop that. A virus scanner can discourage people from installing it if it knows about that specific threat, but if you are going to rely on that, you need to download it, keep it for a few days until the virus scanner gets updated, then scan it; and most people don’t do that.

  4. Pascal Monett Silver badge

    "The malware uses GitHub"

    And why hasn't GitHub shut that down already ?

    Or is Microsoft not aware of the issue ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "The malware uses GitHub"

      Well, in that case Microsoft probably knows it's coming from somewhere else, say Virginia or D.C., so they do not interfere in high politics by moving like an elephant in a china shop.

  5. Anonymous Coward
    Anonymous Coward

    Watch your spelling!!

    "Apple Jeus sets its sites "

    Unless that was a laboured pun, I imagine you meant "sights" -- as in "gun-sights"...

    Who proofreads for you?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022