AppleJeus Malware Disguised as Cryptocurrency Apps Distributed by North Korean Hackers
Reading Time: 2 minutes

AppleJeus malware disguised as cryptocurrency apps is being distributed by North Korean hackers, the Lazarus Group. 

According to researchers Callum Roxan, Paul Rascagneres, and Robert Jan Mora, “This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents.”

The North Korean government is known to adopt a strategy to employ malicious cyber activity to collect intelligence, attack networks, and generate cash for the sanctions-hit nation. The threats are collectively recorded within the secretive Lazarus Group also known as Hidden Cobra or Zinc.

According to the 2021 Annual Threat Assessment released by U.S. intelligence agencies, “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”

Cybersecurity and Infrastructure Security Agency (CISA) earlier released a warning about an activity cluster called TraderTraitor, which targets crypto traders and exchanges through trojanized crypto apps for Windows and macOS.AppleJeus Malware Disguised as Cryptocurrency Apps Distributed by North Korean Hackers_1

The new TraderTraitor attacks culminate in the deployment of the Manuscrypt remote access trojan that mimics a crypto trading website named BloxHolder. This installation file holds AppleJeus and is distributed via the legitimate Haas Online platform, a copycat of BloxHolder.

Kaspersky first documented AppleJeus in 2018, a virus designed to collect system information on the infected machine (such as its MAC address, computer name, and operating system version). It then sends that data to a server controlled by hackers.

There was a small change in the attack chain in October 2022, now the adversaries are using Microsoft Excel documents that contained macros to download their files from OpenDrive.

Volexy speculated that the switch is to reduce detection by security products, though it couldn’t obtain the image file “background.png” from the OpenDrive link, but noted that it embeds three files, including an encoded payload that’s subsequently extracted and launched on the compromised host.

The researchers concluded, “The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics.”

Related Articles:
CISA Mentions Actively Exploited Critical Oracle Fusion Middleware Vulnerability
Ireland’s Data Protection Commission Fines Facebook For The Leak Of More Than 500 Million Users’ Data
New Baseboard Management Controller Firmware Flaws Expose OT and IoT Devices to Remote Attacks