Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware

The North Korea-linked Lazarus APT spreads faux cryptocurrency apps underneath the faux model BloxHolder to put in the AppleJeus malware.

Volexity researchers warn of a brand new malware marketing campaign performed by the North Korea-linked Lazarus APT towards cryptocurrency customers. The menace actors had been noticed spreading faux cryptocurrency apps underneath the faux model BloxHolder to ship the AppleJeus malware for preliminary entry to networks and steal crypto belongings.

The APT group employed the AppleJeus malware since not less than 2018 to steal cryptocurrencies from the victims.

The brand new marketing campaign noticed by Volexity began in June 2022, the APT group registered the area identify bloxholder[.]com, after which arrange an internet site associated to automated cryptocurrency buying and selling.

The brand new marketing campaign attributed to Lazarus began in June 2022 and was lively till not less than October 2022.

On this marketing campaign, the menace actors used the “bloxholder[.]com” area, a clone of the HaasOnline automated cryptocurrency buying and selling platform.

The web site is a clone of the legit web site, HaasOnline (haasonline[.]com.)

The attackers used the web site to distribute a Home windows MSI installer masquerading because the BloxHolder app, which was used to put in AppleJeus malware together with the QTBitcoinTrader app.

“This found file, the  “BloxHolder utility”, is definitely one other case of AppleJeus being put in alongside the open-source cryptocurrency buying and selling utility QTBitcoinTrader that’s obtainable on GitHub. This identical legit utility has beforehand been utilized by the Lazarus Group, as documented in this report from CISA.” reads the report printed by Volexity. “The MSI file is used to put in each the malicious and legit functions on the identical time.”

In October 2022, the researchers noticed the Lazarus Group putting in AppleJeus utilizing a weaponized Microsoft Workplace doc, named ‘OKX Binance & Huobi VIP charge comparision.xls,’ as a substitute of an MSI installer.

The doc incorporates a macro cut up into two elements, the primary one is used to decode a base64 blob that incorporates a second OLE object containing a second macro. The preliminary doc additionally shops a number of variables, encoded utilizing base64, that permit defining the place the malware will probably be deployed within the contaminated system.

The final stage payload is downloaded from a public file-sharing service, OpenDrive. 

Volexity specialists weren’t in a position to retrieve the ultimate payload employed since October, however they seen similarities within the DLL sideloading mechanism which is analogous to the one used within the assaults counting on MSI installer.

“Whereas the file was not obtainable on the time of study, based mostly on public sandbox outcomes for the file in query, the downloaded payload, “Background.png”, embeds the next three information:

• “Logagent.exe” – a legit file (md5: eb1e19613a6a260ddd0ae9224178355b)
• “wsock32.dll” – a side-loaded library internally named HijackingLib.dll (md5: e66bc1e91f1a214d098cf44ddb1ae91a)
• “56762eb9-411c-4842-9530-9922c46ba2da” – an encoded payload decoded by “wsock32.dll”

“continues the evaluation. “The three information are dropped on disk utilizing hardcoded offsets that may be discovered within the second macro.”

Consultants speculate Lazarus used DLL sideloading to keep away from malware evaluation, the menace actors additionally seen that current AppleJeus samples obfuscated strings and API calls utilizing a customized algorithm.

“The Lazarus Group continues its effort to focus on cryptocurrency customers, regardless of ongoing consideration to their campaigns and techniques. Maybe in an try to allude detection, they’ve determined to make use of chained DLL side-loading to load their payload. Moreover, Volexity has not beforehand famous the usage of Microsoft Workplace paperwork to deploy AppleJeus variants.” concludes volexity. “Regardless of these modifications, their targets stay the identical, with the cryptocurrency trade being a spotlight as a method for the DPRK to bolster their funds.”

Observe me on Twitter: @securityaffairs and Fb and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

Share On