The cybersecurity researchers at Volexity have detected a brand new wave of assaults by which AppleJeus malware is distributed by faux cryptocurrency apps. Researchers declare that the North Korean APT group Lazarus is behind this new marketing campaign.
It’s price noting that, as reported by Hackread.com in August 2018, the Lazarus hacker group was discovered utilizing AppleJeus malware in opposition to macOS in its assault in opposition to a number of cryptocurrency exchanges.
Marketing campaign Evaluation
In response to researchers, the infamous Lazarus hacking group makes use of a faux buying and selling web site and DLL Aspect-loading to distribute the malware. The first targets of this marketing campaign are cryptocurrency customers and organizations.
Of their latest assault, the group is utilizing a variant of AppleJeus malware distributed through malicious Microsoft Workplace paperwork. This marketing campaign began in June 2022 and remains to be energetic.
“The Lazarus Group continues its effort to focus on cryptocurrency customers, regardless of ongoing consideration to their campaigns and techniques. Maybe in an try to allude to detection, they’ve determined to make use of chained DLL side-loading to load their payload. Regardless of these adjustments, their targets stay the identical, with the cryptocurrency trade being a spotlight as a method for the DPRK to bolster their funds,” researchers wrote of their weblog put up.
Volexity’s findings shouldn’t come as a shock; as of January 2022, Lazarus hackers have stolen $1.7 billion from cryptocurrency exchanges. The truth is, in April 2022, it was reported that the group has been utilizing one other malware referred to as TraderTraitor to focus on Blockchain organizations.
How Did the Scheme Work?
The scheme reportedly entails a dwell crypto-themed web site that includes content material stolen from a legit web site. AppleJeus malware was deployed with a brand new variant of DLL Aspect-loading, which hasn’t been documented within the wild.
Additional probe revealed that in June 2022, the risk actors registered a site identify (bloxholdercom which was dwell on the time of writing) and configured it for internet hosting a web site associated to automated cryptocurrency buying and selling.
This web site was a faux model of the real cryptocurrency buying and selling platform HaasOnline (haasonlinecom). All references to this web site had been modified to be BloxHolder, together with a number of tweaks.
The faux web site distributes a malicious Home windows MSI installer disguised because the BloxHolder app. This app helped within the set up of AppleJeus malware and the QTBitcoinTrader app.
Detailed Evaluation
Volexity researchers famous that the Lazarus hacker group was putting in AppleJeus malware by malicious MS Workplace paperwork titled OKX Binance & Huobi VIP price comparision.xls within the place of an MSI installer. This improvement was noticed in October 2022.
The malicious doc contained a macro cut up into two elements. The primary one decoded a base64 blob containing a second OLE object, which contained a second macro.
Furthermore, the primary doc additionally saved varied variables, encoded with base 64 to permit defining the place the malware could be deployed within the affected system. Moreover, the hackers additionally used OpenDrive to deploy the final stage payload.
Nonetheless, researchers couldn’t retrieve the ultimate payload deployed since October. They famous similarities within the DLL Aspect-loading mechanism because it was just like the assaults involving the MSI installer.