In the last 18 months, North Korea-linked Lazarus APT group has continued to target cryptocurrency exchanges evolving its TTPs.
Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and cryptocurrency exchanges.
In the mid-2018, the APT targeted cryptocurrency exchanges and cryptocurrency companies, experts from Kaspersky Lab tracked a campaign dubbed Operation AppleJeus aimed at spreading a tainted cryptocurrency trading application.
“While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanizedcryptocurrency trading application, which had been recommended to the company over email.” states the report published in 2018 by Kaspersky.
“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”
After releasing Operation AppleJeus, the Lazarus group carried out other attacks against cryptocurrency businesses using similar tactics. The researchers spotted more macOS malware similar to the one that was involved in Operation AppleJeus.
The macOS installers used by the state-sponsored hackers were based on the public source code, the authors used QtBitcoinTrader developed by Centrabit.
The three macOS installers analyzed by Kaspersky use a similar post installer script, as well as using the same command-line argument when executing the fetched second-stage payload. However, the researchers noticed a different type of macOS malware, MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), that was created on 2019-03-12.
The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development.
One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.
The experts pointed out that while the Windows malware used in the campaign only had small changes, the macOS malware was heavily changed. Major changes are:
The actor used GitHub in order to host their malicious applications.
The malware author used Object-C instead of QT framework in their macOS malware.
The malware implemented a simple backdoor function in macOS executable.
The malware encrypted/decrypted with a 16-byte XOR key (X,%`PMk–Jj8s+6=) similar to the previous case.
The Windows version of the malware used ADVobfuscator, a compiled time obfuscator, in order to hide its code.
The post-install script of macOS malware differed significantly from the previous version.
Recently Kaspersky detected a new macOSmalware that used a malicious application named UnionCryptoTrader. The Windows version of the same malware executed from the Telegram messenger download folder.
Some of the payloads were executed in memory, with a backdoor payload delivered in the final step of the attack chain.
“This final payload was designed to run only on certain systems. It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information. The malware checks the infected system’s information and compares it to a given value.” continues the report. “It seems the actor wants to execute the final payload very carefully, and wants to evade detection by behavior-based detection solutions.”
Kaspersky identified several victims of Operation AppleJeus sequel, most of them were in the UK, Poland, Russia and China, and experts pointed out that many of them are linked to cryptocurrency business entities.
“The actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS downloader and changing the macOS development framework. The binary infection procedure in the Windows system differed from the previous case. ” Kaspersky concluded. “They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack. We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon,”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
January 10, 2020
