Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/8/2020
03:50 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Kaspersky Researchers Find Lazarus Enhances Capabilities in AppleJeus Cryptocurrency Attack

Woburn, MA – January 8, 2020 – In 2018, Kaspersky’s Global Research and Analysis Team (GReAT) published findings on AppleJeus, an operation aimed at stealing cryptocurrency carried out by prolific threat actor, Lazarus group. Now, new findings show that their operations continue with more careful steps from the infamous threat actor, improved tactics and procedures and the use of Telegram as one of its new attack vectors. Victims in the UK, Poland, Russia and China, in addition to several business entities connected to cryptocurrency, were affected during the operation.

Lazarus group is one of the most active and prolific advanced persistent threat (APT) actors who have previously carried out a number of campaigns targeting cryptocurrency-related organizations. During their initial 2018 AppleJeus operation, the threat actor created a fake cryptocurrency company in order to deliver their manipulated application and exploit a high level of trust among potential victims. This operation was marked by Lazarus building its first macOS malware. The application was downloaded by users from third-party websites and the malicious payload was delivered via a disguised regular application update. The payload enabled the attacker to gain full control of the users’ device and steal cryptocurrency.

Kaspersky researchers have recently identified significant changes to the group’s attack tactics in their ‘sequel’ operation. The attack vector in Lazarus’ 2019 attacks mimicked the one from the previous year, but with some improvements. This time, Lazarus created fake cryptocurrency-related websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger.

Just as in the initial AppleJeus operation, the attack consisted of two phases. Users would first download an application, and the associated downloader would fetch the next payload from a remote server, enabling the attacker to fully control the infected device with a permanent backdoor. However, this time the payload was delivered carefully in order to evade detection by behavior-based detection solutions. In attacks against macOS-based targets, an authentication mechanism was added to the macOS downloader and the development framework was changed. In addition, a file-less infection technique was adopted this time. When targeting Windows users, the attackers avoided the use of Fallchill malware (which was employed in the first AppleJeus operation) and created a malware that only ran on specific systems after checking them against a set of given values. These changes demonstrate that the threat actor has become more careful in their attacks, employing new methods to avoid detection.

Lazarus also made significant modifications in macOS malware and expanded the number of versions. Unlike in the previous attack, during which Lazarus used open source QtBitcoinTrader to build a crafted macOS installer, this time the threat actor started to use their homemade code to build a malicious installer. These developments signify that the threat actor will continue to create modifications of the macOS malware and our most recent detection was an intermediate result of these changes.

The AppleJeus sequel operation demonstrates that, despite significant stagnation in the cryptocurrency markets, Lazarus continues to invest in cryptocurrency-related attacks by making them more sophisticated,” said Seongsu Park, Kaspersky security researcher. “Further changes and diversification of their malware demonstrates that there is no reason to believe that these attacks will not continue to grow in numbers and become a more serious threat.” 

The Lazarus group, known for its sophisticated operations and links to North Korea, is notorious not only for its cyber-espionage and cybersabotage attacks, but also for financially-motivated attacks. A number of researchers, including those at Kaspersky, have previously reported on this group targeting banks and other large financial enterprises.

For more information about the AppleJeus Sequel, please visit Securelist.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.