Volexity’s cybersecurity experts have discovered a new wave in attacks where AppleJeus malware has been distributed via fake cryptocurrency apps. This new campaign is being claimed by researchers to be the work of North Korean APT group .
Notable is the fact that Lazarus hackers used AppleJeus malware to attack multiple cryptocurrency exchanges, according to Hackread.com.
Campaign Analysis
Researchers have found that the has a fake trading site and uses DLL Sideloading to spread the malware. This campaign targets cryptocurrency users and organisations as its primary target.
The group used a modified version of AppleJeus malware to attack their victims via . The campaign began in June 2022, and it is currently active.
“The Lazarus Group is continuing its efforts to target cryptocurrency users, in spite of ongoing attention to the campaigns and tactics. They have chosen to load the payload using chained DLL-sideloading in order to avoid detection. “Despite all these modifications, their goals remain the same with the cryptocurrency market being a focal point as a way for the DPRK bolster its finances,” the researchers stated in their post .
Volexity’s results should not be surprising. As of January 2022 Lazarus hackers had from cryptocurrency exchanges. It was who reported that this group had been using TraderTraitor malware to attack Blockchain organisations in April 2022.
What was the scheme like?
According to reports, the scheme involves creating a live cryptocurrency-themed website that uses content taken from legitimate websites. AppleJeus ran a modified version of DLL Sideloading that has not been publicly documented.
Further investigation revealed that the threat actors had registered the domain name “bloxholdercom ” in June 2022. It was still active at the time this article was written and they configured it to host a website about automated cryptocurrency trading.
The site is a fake HaasOnline website. BloxHolder was used to modify all references to the website.
A fake website offers a that is disguised as BloxHolder. The app was used to install the QTBitcoinTrader and AppleJeus malware.
Detail Analysis
Volexity researchers discovered that the Lazarus hacker team was installing AppleJeus malware via malicious MS Office documents called OKX Binance.xls. This document is a replacement for an MSI install. In October 2022, this development was noticed.
A macro was found in the malicious document. It could be split into two sections. First, it decoded an OLE object containing base64 data. This OLE contained a macro.
The first document contained additional variables encoded in base 64 that allowed the hackers to define where malware was going to be installed. OpenDrive was also used by the hackers to distribute the final stage payload.
Researchers couldn’t find the payload that had been deployed in October. The DLL Sideloading mechanism was similar to attacks on the MSI.