APT Actor Spread AppleJeus Malware Disguised as Cryptocurrency Apps

VTA-00429 – APT Actor Spread AppleJeus Malware Disguised as Cryptocurrency Apps

The Lazarus Group threat actor has been observed leveraging fake cryptocurrency apps as a lure to deliver a previously undocumented version of the AppleJeus malware, according to new findings by the cybersecurity researcher. The campaign are observed to be targeting cryptocurrency users and organizations with the malware by using malicious macro in Microsoft Office documents. The threat actor also used spear-phishing messages sent to employees of cryptocurrency companies to offer high-paying jobs to attract the victims to download the malicious cryptocurrency apps.

The APT actor is known to adopt a three-pronged approach by employing malicious cyber activity designed to collect intelligence, conduct attacks, and generate illicit revenue for the sanctions hit nation. The threats are collectively tracked under the name Lazarus Group (aka Hidden Cobra or Zinc).

Earlier this April, the Cybersecurity and Infrastructure Security Agency (CISA) also warned of an activity cluster dubbed TraderTraitor that targets cryptocurrency exchanges and trading companies through trojanized crypto apps for Windows and macOS.


Attack Surfaces:
Email, Others, Web Application

Command and Control, Credential Access, Defense Evasion, Execution, Persistence

1. T1059 – Command and Scripting Interpreter
2. T1115 – Clipboard Data
3. T1176 – Browser Extensions
4. T1056 – Input Capture
5. T1140 – Deobfuscate/Decode Files or Information
6. T1106 – Native API
7. T1496 – Resource Hijacking
8. T1564 – Hide Artifacts
9. T1053 – Scheduled Task/Job

Active Defense Tactics:

Active Defense Techniques:

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname.
2. Download and use a reputable antivirus software and ensure the signatures are up-to-date.
3. To disable/block macro execution in Microsoft Office
4.  Network Intrusion Detection & Prevention System should be implemented in the organization’s network.

Contributed by:  keevan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>