Background
MKRAT was publicly announced in May 2018 by the US National Security Agency. The malware was created by a North Korean-linked hacking group known as Lazarus Group and uses Apple's Xcode, and it gained popularity with the public by offering money in return for using its Remote access Trojan. It was discovered to have been used by the United Arab Emirates-linked hacking group, Empire, which is based in Turkey and also used mobile malware in a similar manner. MKRAT has been reportedly used in cyber attacks of various Middle Eastern countries, including Iran.
Malware
The malware provides a user interface which is initially stored in a hidden folder. Once the malware is initiated, it connects to an unidentified network. It then attempts to infect the Windows operating system by downloading the Zeus Trojan, after which it provides the user with a free remote access to their computer. The user interface displayed to the user, is a combination of a browser window and a small interface used for viewing the infected files.
The malware uses the Apple Xcode framework to embed hidden functionality. It also uses the xcodebuild command-line tool, a developer toolkit for building software from source, to perform its actions and obtain further infection in the host's system. It has been described as an "imminent threat" by the FBI because of the methods it used to communicate and the fact that it was unpatched in comparison to other known malicious software.
The malware is believed to have been created by North Korean hacking group Lazarus Group, which has been linked to the Sony and Wannacry cyberattacks and the creation of the NotPetya malware.
Response
Apple released a security patch for its Xcode and MacOSX frameworks on October 2, 2018, which mitigated the malware. Other developers are expected to release similar updates and antivirus vendors are expected to protect their users from attacks which use the malware.
Actions
The United States Federal Bureau of Investigation (FBI) announced on May 22, 2018 that it had arrested thirteen individuals, including twelve North Koreans, in relation to the malware. The malware has been compared to the WannaCry ransomware and the NotPetya malware, which both caused major disruptions in 2018. The U.S. Department of Justice has charged the twelve individuals with cyber crimes related to operating a botnet.
See also
NotPetya malware
WannaCry ransomware
Rusek Malware
BatH
Command and control
Related links: