North Korean Hackers Unfold AppleJeus Malware Disguised as Cryptocurrency Apps

Dec 05, 2022Ravie LakshmananRisk intelligence / Malware

AppleJeus Malware

The Lazarus Group risk actor has been noticed leveraging faux cryptocurrency apps as a lure to ship a beforehand undocumented model of the AppleJeus malware, in line with new findings from Volexity.

“This exercise notably entails a marketing campaign doubtless focusing on cryptocurrency customers and organizations with a variant of the AppleJeus malware by the use of malicious Microsoft Workplace paperwork,” researchers Callum Roxan, Paul Rascagneres, and Robert Jan Mora mentioned.

The North Korean authorities is understood to undertake a three-pronged method by using malicious cyber exercise that is orchestrated to gather intelligence, conduct assaults, and generate illicit income for the sanctions hit nation. The threats are collectively tracked beneath the identify Lazarus Group (aka Hidden Cobra or Zinc).

“North Korea has carried out cyber theft towards monetary establishments and cryptocurrency exchanges worldwide, probably stealing tons of of thousands and thousands of {dollars}, most likely to fund authorities priorities, corresponding to its nuclear and missile applications,” per the 2021 Annual Risk Evaluation launched by U.S. intelligence companies.

Earlier this April, the Cybersecurity and Infrastructure Safety Company (CISA) warned of an exercise cluster dubbed TraderTraitor that targets cryptocurrency exchanges and buying and selling corporations via trojanized crypto apps for Home windows and macOS.

AppleJeus Malware

Whereas the TraderTraitor assaults culminate within the deployment of the Manuscrypt distant entry trojan, the brand new exercise makes use of a supposed crypto buying and selling web site named BloxHolder, a copycat of the legit HaasOnline platform, to ship AppleJeus by way of an installer file.

AppleJeus, first documented by Kaspersky in 2018, is designed to reap details about the contaminated system (i.e., MAC handle, pc identify, and working system model) and obtain shellcode from a command-and-control (C2) server.

The assault chain is claimed to have undergone a slight deviation in October 2022, with the adversary shifting from MSI installer recordsdata to a booby-trapped Microsoft Excel doc that makes use of macros to obtain a remotely hosted payload, a PNG picture, from OpenDrive.

The thought behind the change is prone to scale back static detection by safety merchandise, Volexy mentioned, including it could not acquire the picture file (“Background.png”) from the OpenDrive hyperlink however famous it embeds three recordsdata, together with an encoded payload that is subsequently extracted and launched on the compromised host.

“The Lazarus Group continues its effort to focus on cryptocurrency customers, regardless of ongoing consideration to their campaigns and techniques,” the researchers concluded.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Supply By

Related posts