Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Contents
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
December 1, 2022
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents. Volexity’s analysis of this campaign uncovered a live cryptocurrency-themed website with contents stolen from another legitimate website. Further technical analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading that Volexity has not seen previously documented as in the wild.
This blog outlines new techniques used by the Lazarus Group, analyzes recent AppleJeus malware variants, shares indicators from other versions of this malware, as well as outlines links between this activity and historic campaigns. The end of the post includes detection and …
December 1, 2022
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents. Volexity’s analysis of this campaign uncovered a live cryptocurrency-themed website with contents stolen from another legitimate website. Further technical analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading that Volexity has not seen previously documented as in the wild.
This blog outlines new techniques used by the Lazarus Group, analyzes recent AppleJeus malware variants, shares indicators from other versions of this malware, as well as outlines links between this activity and historic campaigns. The end of the post includes detection and …
IoC
17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b
18644822140eda7493bd75ba1e1f235d
18e190413af045db88dfbd29609eb877
245bb604621cea7962668325995bca7c
295c20d0f0a03fd8230098fade0af910b2c56e9e5700d4a3344d10c106a6ae2a
2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb
479cc0a490ffa98652683796c5cef12f3e6380107aac83321a9705048b801b54
4c5611d63fd78a2de9591d7b4d70c574d1f534a2aec86bb70bd49e60fafd54ea
51871504c1d5c09ade5e2a1e6e98c37a
5b03294b72c0caa5fb20e7817002c600645eb475
636813038ba5c9755aa881ae62e2911df3b8f84ad1d2ff682e325e00d24d4a74
76111d9780b2d0b5adee61cf752d937e
82d6b2e14763f398d2a559d3f7fbf2f7a3c7f9001c8dcdf4543d4ff0b97a8785
90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33
9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
a0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb
a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9
abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0
ae34fa6c6baf77390fb3ff683d880cde14bf893d
b801643e2d817931e6aa36e6bf24d1c42e9b8fdc
cc5544eff3e5b9cf20d8cf2291147596d4346dbe
e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487
e66bc1e91f1a214d098cf44ddb1ae91a
eb1e19613a6a260ddd0ae9224178355b
eee4e3612af96b694e28e3794c4ee4af2579768e8ec6b21daf71acfc6e22d52b
efaf52549ffcc8a16373a8f7f0bddebabc3edc17f71b0158bbaf89c1b29a6043
fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e
http://bloxholder.com
http://haasonline.com
18644822140eda7493bd75ba1e1f235d
18e190413af045db88dfbd29609eb877
245bb604621cea7962668325995bca7c
295c20d0f0a03fd8230098fade0af910b2c56e9e5700d4a3344d10c106a6ae2a
2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb
479cc0a490ffa98652683796c5cef12f3e6380107aac83321a9705048b801b54
4c5611d63fd78a2de9591d7b4d70c574d1f534a2aec86bb70bd49e60fafd54ea
51871504c1d5c09ade5e2a1e6e98c37a
5b03294b72c0caa5fb20e7817002c600645eb475
636813038ba5c9755aa881ae62e2911df3b8f84ad1d2ff682e325e00d24d4a74
76111d9780b2d0b5adee61cf752d937e
82d6b2e14763f398d2a559d3f7fbf2f7a3c7f9001c8dcdf4543d4ff0b97a8785
90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33
9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
a0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb
a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9
abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0
ae34fa6c6baf77390fb3ff683d880cde14bf893d
b801643e2d817931e6aa36e6bf24d1c42e9b8fdc
cc5544eff3e5b9cf20d8cf2291147596d4346dbe
e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487
e66bc1e91f1a214d098cf44ddb1ae91a
eb1e19613a6a260ddd0ae9224178355b
eee4e3612af96b694e28e3794c4ee4af2579768e8ec6b21daf71acfc6e22d52b
efaf52549ffcc8a16373a8f7f0bddebabc3edc17f71b0158bbaf89c1b29a6043
fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e
http://bloxholder.com
http://haasonline.com