Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
Contents
Overview
Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.
Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of …
Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.
Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of …
IoC
0a15a33844c9df11f12a4889ae7b7e4b
0bdb652bbe15942e866083f29fb6dd62
14b6d24873f19332701177208f85e776
185.142.236.213
185.142.236.226
185.142.239.173
196.38.48.121
21694c8db6234df74102e8b5994b7627
4126e1f34cf282c354e17587bb6e8da3
48ded52752de9f9b73c6bf9ae81cb429
56f5088f488e50999ee6cced1f5dd6aa
5ad7d35f0617595f26d565a3b7ebc6d0
6b061267c7ddeb160368128a933d38be
6cb34af551b3fb63df6c9b86900cf044
80.82.64.91
81c3a3c5a0129477b59397173fdc0b01
94dfcabd8ba5ca94828cd5a88d6ed488
9e740241ca2acdc79f30ad2c3f50990a
D7089e6bc8bd137a7241a7ad297f975d
D8484469587756ce0d10a09027044808
E1ed584a672cab33af29114576ad6cce
abec84286df80704b823e698199d89f7
b054a7382adf6b774b15f52d971f3799
bbbcf6da5a4c352e8846bf91c3358d5c
c501ea6c56ba9133c3c26a7d5ed4ce49
cafda7b3e9a4f86d4bd005075040a712
cd6796f324ecb7cf34bc9bc38ce4e649
cea1a63656fb199dd5ab90528188e87c
d7089e6bc8bd137a7241a7ad297f975d
d8484469587756ce0d10a09027044808
e1ed584a672cab33af29114576ad6cce
ffae703a1e327380d85880b9037a0aeb
http://185.142.236.226
http://185.142.239.173
http://196.38.48.121
http://80.82.64.91
http://www.celasllc.com/checkupdate.php
https://black.host/
https://libertyvps.net/
https://njal.la/
https://www.celasllc.com/checkupdate.php
https://www.domains4bitcoins.com/
https://www.namecheap.com/
[email protected]
0bdb652bbe15942e866083f29fb6dd62
14b6d24873f19332701177208f85e776
185.142.236.213
185.142.236.226
185.142.239.173
196.38.48.121
21694c8db6234df74102e8b5994b7627
4126e1f34cf282c354e17587bb6e8da3
48ded52752de9f9b73c6bf9ae81cb429
56f5088f488e50999ee6cced1f5dd6aa
5ad7d35f0617595f26d565a3b7ebc6d0
6b061267c7ddeb160368128a933d38be
6cb34af551b3fb63df6c9b86900cf044
80.82.64.91
81c3a3c5a0129477b59397173fdc0b01
94dfcabd8ba5ca94828cd5a88d6ed488
9e740241ca2acdc79f30ad2c3f50990a
D7089e6bc8bd137a7241a7ad297f975d
D8484469587756ce0d10a09027044808
E1ed584a672cab33af29114576ad6cce
abec84286df80704b823e698199d89f7
b054a7382adf6b774b15f52d971f3799
bbbcf6da5a4c352e8846bf91c3358d5c
c501ea6c56ba9133c3c26a7d5ed4ce49
cafda7b3e9a4f86d4bd005075040a712
cd6796f324ecb7cf34bc9bc38ce4e649
cea1a63656fb199dd5ab90528188e87c
d7089e6bc8bd137a7241a7ad297f975d
d8484469587756ce0d10a09027044808
e1ed584a672cab33af29114576ad6cce
ffae703a1e327380d85880b9037a0aeb
http://185.142.236.226
http://185.142.239.173
http://196.38.48.121
http://80.82.64.91
http://www.celasllc.com/checkupdate.php
https://black.host/
https://libertyvps.net/
https://njal.la/
https://www.celasllc.com/checkupdate.php
https://www.domains4bitcoins.com/
https://www.namecheap.com/
[email protected]