Lazarus group's 'AppleJeus' sequel targets cryptocurrency traders

News by Chandu Gopalakrishnan

Threat actor Lazarus Group launched sequel of its AppleJeus operation, creating fake cryptocurrency-related websites to sow malware in the systems of those who fell for the ruse

Cryptocurrency has been the favourite ground for internet scamsters, with most of the 1,840 projects that failed since 2017 proving to be outright scams. Prolific threat actor Lazarus Group has joined the bandwagon with a sequel of its AppleJeus operation, creating fake cryptocurrency-related websites to sow malware in the systems of those who fell for the ruse.

Kaspersky Labs in 2018 disclosed the details of AppleJeus, an operation aimed at stealing cryptocurrency carried out by the Lazarus group. Now, new findings show that the operation continues with improved tactics and procedures and the use of Telegram as one of its new attack vectors, said a Kaspersky report. The campaign has claimed several victims in the UK, Poland, Russia and China, with most of them connected to cryptocurrency business entities, the report said.

"This is a highly-targeted campaign; and the group is using bespoke code rather than general-purpose malware. The methods we have identified for infecting its victims in this campaign are fake cryptocurrency websites and Telegram messenger," Kaspersky principal security researcher David Emm told SC Media UK.

The campaign is focused on collecting financial data from victims that can be used to steal money and is centred around financial organisations. Although the specifics of other victims are yet to be ascertained, it is certain that the campaign is focused on very specific businesses rather than consumers, he said.

"Typically, attacks by APT threat actors are focused on espionage, rather than theft of financial data.  Lazarus has targeted financial institutions, including cryptocurrency businesses, for some time, continually looking to revamp its tools to maximise its success," Emm said. 

"Lazarus isn’t the only group focused on money – other examples in recent years include Carbanak and FIN 7."

Similar to the initial AppleJeus operation, the ‘sequel’ attack consisted of two phases. Users would first download an application, and the associated downloader would fetch the next payload from a remote server, eventually enabling the attacker to fully control the infected device with a permanent backdoor. 

However, this time the payload was delivered carefully in order to evade detection by behavior-based detection solutions, said the report. In attacks against macOS-based targets, an authentication mechanism was added to the macOS downloader and the development framework was changed. In addition to that, a file-less infection technique was adopted this time. 

"We also found the actor’s Telegram group on their fake website. Based on these, we assess with high confidence that the actor delivered the manipulated installer using the Telegram messenger," said the report.

The attackers avoided the use of Fallchill malware that was employed in the first AppleJeus operation, when targeting Windows users. This time, they created a malware that only ran on specific systems after checking them against a set of given values. All these steps were taken to avoid being detected, said the report.

Interestingly, the method of operation in the first campaign prompted Kaspersky to name it AppleJeus.

"The writer of the code developed this project under the codename ‘Jeus’, which we found in a PDB path included in the updater and used as a unique HTTP multipart message data separator string,  Hence the ‘Jeus’ part of the campaign name. We used ‘Apple’ because, when the initial ‘Operation AppleJeus’ campaign appeared, it was the first time that this threat actor had targeted macOS," explained Emm.

Kaspersk's latest report comes at a time when the UK government has introduced the fifth EU Money Laundering Directive (5MLD) into UK law as part of ‘The Money Laundering and Terrorist Financing (Amendment) Regulations 2019’. For the first time, the regulations now explicitly cover crypto-assets.

"It is the need for electronic verification that is likely to take most people by surprise. Any cryptocurrency exchange platform that does not already have a trusted means of doing this will need to implement this immediately to ensure they are compliant and save themselves from a heavy fine," commented Martin Cheek, managing director of SmartSearch.

"The regulations are designed to help tackle rising levels of fraud and eliminate money laundering, things that are likely to be a key priority for everyone this year."

"Lazarus has focused on developing legitimate looking sites and using them to seed the infection.  It’s important that businesses relying on third-party software should ensure that the code is safe, rather than automatically trusting it because it has come from a legitimate looking source," Emm warned.

Consumers already exploring cryptocurrencies or planning to do so should use reliable and proven cryptocurrency platforms, avoid clicking on links that lure you to an online bank or a web wallet and install a reliable security solution for comprehensive protection from a wide range of threats, the report recommended.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews