The cybersecurity researchers at Volexity have detected a new wave of attacks in which AppleJeus malware is distributed through fake cryptocurrency apps. Researchers claim that the North Korean APT group Lazarus is behind this new campaign.
It is worth noting that, as reported by Hackread.com in August 2018, the Lazarus hacker group was found using AppleJeus malware against macOS in its attack against multiple cryptocurrency exchanges.
Campaign Analysis
According to researchers, the notorious Lazarus hacking group uses a fake trading website and DLL Side-loading to distribute the malware. The primary targets of this campaign are cryptocurrency users and organizations.
In their recent attack, the group is using a variant of AppleJeus malware distributed via malicious Microsoft Office documents. This campaign started in June 2022 and is still active.
“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude to detection, they have decided to use chained DLL side-loading to load their payload. Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances,” researchers wrote in their blog post.
Volexity’s findings should not come as a surprise; as of January 2022, Lazarus hackers have stolen $1.7 billion from cryptocurrency exchanges. In fact, in April 2022, it was reported that the group has been using another malware called TraderTraitor to target Blockchain organizations.
How Did the Scheme Work?
The scheme reportedly involves a live crypto-themed site featuring content stolen from a legit website. AppleJeus malware was deployed with a new variant of DLL Side-loading, which hasn’t been documented in the wild.
Further probe revealed that in June 2022, the threat actors registered a domain name (bloxholdercom which was live at the time of writing) and configured it for hosting a website related to automated cryptocurrency trading.
This site was a fake version of the genuine cryptocurrency trading platform HaasOnline (haasonlinecom). All references to this website were modified to be BloxHolder, along with a few tweaks.
The fake website distributes a malicious Windows MSI installer disguised as the BloxHolder app. This app helped in the installation of AppleJeus malware and the QTBitcoinTrader app.
Detailed Analysis
Volexity researchers noted that the Lazarus hacker group was installing AppleJeus malware through malicious MS Office documents titled OKX Binance & Huobi VIP fee comparision.xls in the place of an MSI installer. This development was observed in October 2022.
The malicious document contained a macro split into two parts. The first one decoded a base64 blob containing a second OLE object, which contained a second macro.
Moreover, the first document also stored various variables, encoded with base 64 to allow defining where the malware would be deployed in the affected system. Additionally, the hackers also used OpenDrive to deploy the last stage payload.
However, researchers couldn’t retrieve the final payload deployed since October. They noted similarities in the DLL Side-loading mechanism as it was similar to the attacks involving the MSI installer.
