Lazarus Group continues AppleJeus Operation
Contents
Telsy analyzed new samples related to the threat actor Lazarus Group and in particular to the 'AppleJeus Operation'.
Introduction
While some of the details have changed, the methods used in the current scheme look very similar to how 'AppleJeus' worked previously.
They both use legitimate cryptotrading applications and both have a secondary program which is the malware component.
The hacker group released a trojanized version of the legitimate cryptotrading application “QtBitcoinTrader” even though unlike the previous operations the various stages of the infection all resided within the MSI package.
The MSI package embeds a malicious library, a shellcode and has a very low detection rate on Virustotal.
Also the installer after dropping its content in the directory '%appdata%/QtBitcoinTrader' copies the legit executable named 'CertEnrollCtrl.exe' in the same directory and then schedule it as a task.
The malicious library, “dsparse.dll” is loaded exploiting the 'DLL Side-Loading' technique, indeed it is loaded by the process 'CertEnrollCtrl.exe'.
The legit library 'dsparse.dll', …
Introduction
While some of the details have changed, the methods used in the current scheme look very similar to how 'AppleJeus' worked previously.
They both use legitimate cryptotrading applications and both have a secondary program which is the malware component.
The hacker group released a trojanized version of the legitimate cryptotrading application “QtBitcoinTrader” even though unlike the previous operations the various stages of the infection all resided within the MSI package.
The MSI package embeds a malicious library, a shellcode and has a very low detection rate on Virustotal.
Also the installer after dropping its content in the directory '%appdata%/QtBitcoinTrader' copies the legit executable named 'CertEnrollCtrl.exe' in the same directory and then schedule it as a task.
The malicious library, “dsparse.dll” is loaded exploiting the 'DLL Side-Loading' technique, indeed it is loaded by the process 'CertEnrollCtrl.exe'.
The legit library 'dsparse.dll', …
IoC
198.54.121.240