North Korea-linked Lazarus APT continues to target cryptocurrency exchanges

In the last 18 months, North Korea-linked Lazarus APT group has continued to target cryptocurrency exchanges evolving its TTPs.

Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and cryptocurrency exchanges.

In the mid-2018, the APT targeted cryptocurrency exchanges and cryptocurrency companies, experts from Kaspersky Lab tracked a campaign dubbed Operation AppleJeus aimed at spreading a tainted cryptocurrency trading application.

“While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email.” states the report published in 2018 by Kaspersky.

“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”

After releasing Operation AppleJeus, the Lazarus group carried out other attacks against cryptocurrency businesses using similar tactics. The researchers spotted more macOS malware similar to the one that was involved in Operation AppleJeus.

The macOS installers used by the state-sponsored hackers were based on the public source code, the authors used QtBitcoinTrader developed by Centrabit.

The three macOS installers analyzed by Kaspersky use a similar post installer script, as well as using the same command-line argument when executing the fetched second-stage payload. However, the researchers noticed a different type of macOS malware, MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), that was created on 2019-03-12.

The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development.

One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.

The experts pointed out that while the Windows malware used in the campaign only had small changes, the macOS malware was heavily changed. Major changes are:

• The actor used GitHub in order to host their malicious applications.
• The malware author used Object-C instead of QT framework in their macOS malware.
• The malware implemented a simple backdoor function in macOS executable.
• The malware encrypted/decrypted with a 16-byte XOR key (X,%`PMk–Jj8s+6=) similar to the previous case.
• The Windows version of the malware used ADVobfuscator, a compiled time obfuscator, in order to hide its code.
• The post-install script of macOS malware differed significantly from the previous version.

Recently Kaspersky detected a new macOSmalware that used a malicious application named UnionCryptoTrader. The Windows version of the same malware executed from the Telegram messenger download folder. 

Some of the payloads were executed in memory, with a backdoor payload delivered in the final step of the attack chain. 

“This final payload was designed to run only on certain systems. It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information. The malware checks the infected system’s information and compares it to a given value.” continues the report. “It seems the actor wants to execute the final payload very carefully, and wants to evade detection by behavior-based detection solutions.”

Kaspersky identified several victims of Operation AppleJeus sequel, most of them were in the UK, Poland, Russia and China, and experts pointed out that many of them are linked to cryptocurrency business entities.

“The actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS downloader and changing the macOS development framework. The binary infection procedure in the Windows system differed from the previous case. ” Kaspersky concluded. “They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack. We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lazarus APT group, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]