On 17 February, the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of<\/p>\n
Investigation (FBI), and the Department of Treasury (Treasury) published a joint report to highlight the cyber threat posed to cryptocurrency by North Korea, formally known as the Democratic People\u2019s Republic of Korea (DPRK); the report also provides mitigation recommendations and indicators of compromise for detection.1<\/sup> The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.2<\/sup><\/p>\n According to these agencies, the Lazarus Group is an advanced persistent threat (APT) group sponsored by the North Korean government. Since 2018, it has been targeting individuals and companies that run cryptocurrency exchanges and financial services, with various versions of AppleJeus, a trojanized cryptocurrency trading application. It enables threat actors to gain access to victims\u2019 systems to steal cryptocurrency, and it is compatible with both Windows and MacOS operating systems.<\/p>\n Lazarus has launched multiple versions of AppleJeus since Kaspersky discovered it in 2018.3<\/sup> The following sections of this report describe the capabilities of seven different versions of the malware, and there are many similarities across them. All use a Sectigo Secure Sockets Layer (SSL) certificate for the website marketing the malware. This kind of certificate is only domain-validated – the lowest level of authentication used to validate SSL certificates.<\/p>\n <\/p>\n In early AppleJeus campaigns, Lazarus used fake websites disguised as legitimate cryptocurrency trading platforms to spread the malware. Lazarus now uses other additional initial infection vectors, such as socially engineered phishing emails and social networking.<\/p>\n AppleJeus campaigns have targeted several industry sectors, including energy, finance, government, industry, technology and telecommunications. The DPRK likely views cryptocurrency theft as an opportunity to circumvent international sanctions imposed on them. More than 30 countries have been impacted over the last year by Lazarus\u2019 activity, including Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States.<\/p>\n In this campaign – which was ongoing until at least late January 2021 – Lazarus used a phishing email that spoofed Celas LLC and lured victims into downloading a malicious program named Celas Trade Pro from the actor-controlled site celasllc[.]com<\/em>. The program was a trojanized version of the legitimate cryptocurrency trading application, Q.T. Bitcoin Trader. The fake website allowed the victim to download either the Windows or MacOS version of the application.<\/p>\n When the user executed the Celas Trade Pro program, it installed and ran an embedded executable called Updater.exe,4<\/sup><\/em> which collected victim host information, then encrypted the data with with a hard-coded XOR key (Moz&Wie;#t\/6T!2y<\/em>), prepended the encrypted data with the image header \u201cGIF89a,\u201d and finally sent the data to its command and control (C&C) server, celasllc[.]com\/checkupdate[.]php<\/em>. Celas Trade Pro eventually downloaded and installed FALLCHILL, a remote access trojan (RAT) attributed to North Korea by the U.S. government, inside the victim\u2019s network.<\/p>\n From 29 May 2018 to 23 January 2021, the celasllc[.]com<\/em> domain resolved to nine IPv4 addresses.<\/p>\n Kaspersky discovered this campaign with a new version of AppleJeus in October 2019, due to similarities to the original malware. The campaign continued to be active until at least January 2021, although on 11 October 2019, the files on GitHub were updated to clean, non-malicious installers soon after Kaspersky tweeted about it.<\/p>\n In this campaign, a fake but legitimate-appearing cryptocurrency trading company called JMT Trading marketed a trojanized application on its website jmttrading[.]org.<\/em> Users were able to download either a Windows or MacOS-supported version via a link to the company\u2019s GitHub page. The download included a ZIP archive and TAR files containing the malware source code.<\/p>\n When a user executed the JMT Trading application, it installed and ran an embedded and heavily-obfuscated executable named CrashReporter.exe,5<\/sup><\/em> which collected victim host information and encrypted the data with a hard-coded XOR key (X,%`PMk–Jj8s+6=15:20:11<\/em>). The malware then sent the encrypted information to its C&C server, https[:]\/\/beastgoc.com\/grepmonux.php,<\/em> with a multipart form data separator (–wMKBUqjC7ZMG5A5g<\/em>). Unlike the Windows version, the MacOS installer did not have a digital certificate and thus warned the user before installation.<\/p>\n From 15 October 2016 to 22 January 2021, the jmttrading[.]org<\/em> domain resolved to 14 IPv4 addresses.<\/p>\n Two months after discovering the JMT Trading campaign above, Kaspersky found another new version of AppleJeus in December 2019 on Twitter. This malware version appears similar to another cryptocurrency application known as Blackbird Bitcoin Arbitrage and may even be a modification of this application. This version follows the previous AppleJeus versions\u2019 pattern of imitating a legitimate cryptocurrency trading application, in this case Union Crypto, to market and distribute malware on the website unioncrypto[.]vip. <\/em>Also similar to the previous versions, this one supports both Mac OS and Windows platforms. Through a VirusTotal report, a researcher found a download link (https:\/\/www.unioncrypto[.]vip\/download\/W6c2dq8By7luMhCmya2v97YeN<\/em>) for the MacOS version of Union Crypto Trader. The open source community also found that the Windows version may have been distributed via the instant messaging service Telegram.<\/p>\n The Windows version consisted of an executable file that extracted a temporary MSI installer that dropped an embedded executable called UnionCryptoUpdater.exe.6<\/sup><\/em> This executable installed itself as a service with a description stating it “Automatically installs updates for Union Crypto Trader.” It was set to run every time the user logged in, then collected the system information, combining it into a string that was MD5 hashed and stored in the auth_signature<\/em> variable before sending it to its C&C server https[:]\/\/unioncrypto[.]vip\/update<\/em>.<\/p>\n As with the previous version, the installer for MacOS had similar functionality to the Windows version, but it lacked a digital certificate and so the system will warn the user of that before installation.<\/p>\n From 5 June 2019 to 15 July 2020, the unioncrypto[.]vi<\/em>p domain resolved to five different IPv4 addresses.<\/p>\n Several months later, on 13 March 2020, researchers found another version of AppleJeus on kupaywallet[.]com,<\/em> the website of the fake but legitimate-appearing cryptocurrency company named Kupay Wallet. It appeared to be active until at least January 2021, and following the pattern of supporting both Windows and MacOS platforms.<\/p>\n Once the the malware runs its executable (Kupay.exe<\/em>), an embedded executable (KupayUpgrade.exe)7<\/sup><\/em> is extracted and executed. It installs itself as a service (“Automatic Kupay Upgrade”) to run every time the user logs on, then collects victim system information, which is combined into strings and sent to the C&C server https[:]\/\/kupaywallet[.]com\/kupay_update.php<\/em>. The Kupay Wallet malware is also capable of reading and writing files, as well as executing additional commands via the terminal.<\/p>\n This version is very similar to a legitimate open source cryptocurrency wallet known as Copay, which is distributed by the Atlanta-based company BitPay. Kupay appears to be a modification of this application, containing BitPay as the company listed in its version information, as well as sending a DNS request to bitpay[.]com<\/em> following a request to its own domain.<\/p>\n From 20 March 2020, to 16 January 2021, the kupaywallet[.]com<\/em> domain resolved to one IPv4 address.<\/p>\n Researchers found the fifth version of AppleJeus8<\/sup> on the website for another fake cryptocurrency wallet called CoinGoTrade (coingotrade[.]com<\/em>).<\/p>\n Following the previous patterns, CoinGoTrade was available for both Windows and MacOs. Once the user downloaded the executable, CoinGoTradeUpdate.exe9<\/sup><\/em> installed itself as a service (“Automatic CoinGoTrade Upgrade”) to run every time the user logged on, collected victim system information, combined the information into strings and sent it to one of its C&C servers.<\/p>\n From February 28, 2020, to January 23, 2021, coingotrade[.]com<\/em> resolved to one internet IPv4 address.<\/p>\n The sixth version of AppleJeus was also identified In March 2020. It was marketed and distributed by a fake but legitimate-looking company called Dorusio, on dorusio[.]com<\/em>. It is a trojanized version of Copay, and apart from the Dorusio logo and two additional services, the wallet appears to be the same as the Kupay Wallet, and was available for both Windows and MacOS.<\/p>\n Once the executable ran, the DorusioUpgrade.exe10<\/sup> executable followed the same steps as other versions: it installed itself as a service (“Automatic Dorusio Upgrade”) to run every time the user logged on, collected victim system information, combined the information in strings and sent it to one of its C&C servers.<\/p>\n From 30 March 2020 to 23 January 2021 dorusio[.]com<\/em> resolved to one internet IPv4 address.<\/p>\n In late 2020, a new version of AppleJeus was identified that was marketed and distributed by a legitimate-looking company called Ants2Whale on their website, ants2whale[.]com<\/em>. In this case, the website contained many grammatical errors indicating that the author was not likely a native English speaker. The website also stated the user must contact the website administrators to download Ants2Whale because it is a premium package.<\/p>\n Following the previous patterns, Ants2Whale was available for both Windows and MacOS; however, only the MacOS version was available for analysis. Analysis of the MacOS version confirmed that Ants2Whale11<\/sup> used the same techniques described in previous versions.<\/p>\n From 23 September 2020 to 22 January 2021 ants2whale[.]com<\/em> domain resolved to one IPv4 address.<\/p>\n According to CISA, organizations whose networks have been infected by AppleJeus should immediately take these initial actions:<\/p>\n To mitigate and reduce the risk of being affected by AppleJeus, consider the following recommendations:<\/p>\n Below is a list of known IOCs related to this attack.<\/p>\n2.\u00a0 Analysis<\/h3>\n
2.1.\u00a0 Initial Vector<\/h4>\n
2.2.\u00a0 Targets<\/h4>\n
2.3.\u00a0 AppleJeus Version 1: Celas Trade Pro<\/h4>\n
2.4.\u00a0 AppleJeus Version 2: JMT Trading<\/h4>\n
2.5.\u00a0 AppleJeus Version 3: Union Crypto<\/h4>\n
2.6.\u00a0 AppleJeus Version 4: Kupay Wallet<\/h4>\n
2.7.\u00a0 AppleJeus Version 5: CoinGoTrade<\/h4>\n
2.8.\u00a0 AppleJeus Version 6: Dorusio<\/h4>\n
2.9.\u00a0 AppleJeus Version 7: Ants2Whale<\/h4>\n
3.\u00a0 Prevention and Mitigation<\/h3>\n
\n
3.1\u00a0 Cryptocurrency Users<\/h4>\n
\n
3.2\u00a0 Financial Service Companies<\/h4>\n
\n
3.3\u00a0 Cryptocurrency Businesses<\/h4>\n
\n
3.4\u00a0 All Organizations<\/h4>\n
\n
4.\u00a0 Indicators of Compromise<\/h3>\n