Fake Windows Crypto apps that spread AppleJeus malware

The cybersecurity researchers at Volexity have discovered a new wave of attacks in which the AppleJeus malware is distributed through fake cryptocurrency apps. Researchers claim that the North Korean APT group Lazarus is behind this new campaign.

It is worth noting that, as reported by Hackread.com in August 2018, the Lazarus hacker group was found using the AppleJeus malware against macOS in its attack against several cryptocurrency exchanges.

Campaign analysis

According to researchers, the notorious Lazarus hacker group uses a fake trading website and DLL side-loading to distribute malware. The primary targets of this campaign are cryptocurrency users and organizations.

In its recent attack, the group uses a variant of the AppleJeus malware distributed via malicious Microsoft Office documents. This campaign started in June 2022 and is still active.

“The Lazarus Group continues its efforts to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to hint at detection, they have decided to use chained DLL pageloading to load the payload. Despite these changes, their goals remain the same, with the cryptocurrency industry as a focus as a means for the DPRK to strengthen its economy,” researchers wrote in their blog posts.

Volexity’s findings shouldn’t come as a surprise; as of January 2022, Lazarus hackers have stole $1.7 billion from cryptocurrency exchanges. In fact, it was in April 2022 reported that the group has used another piece of malware called TraderTraitor to target Blockchain organizations.

How did the scheme work?

The scheme allegedly involves a live crypto-themed website with content stolen from a legitimate website. The AppleJeus malware was distributed with a new variant of DLL Side-loading, which has not been documented in the wild.

Further investigation revealed that in June 2022, the threat actors registered a domain name (bloxholdercom which was live at the time of writing) and configured it to host a website related to automated cryptocurrency trading.

This website was a fake version of the real cryptocurrency trading platform HaasOnline (haasonlinecom). All references to this website were changed to be BloxHolder, along with a few tweaks.

The fake website distributes a malicious Windows MSI installer disguised as the BloxHolder app. This app assisted in the installation of the AppleJeus malware and the QTBitcoinTrader app.

Detailed analysis

Volexity researchers noted that the Lazarus hacker group installed the AppleJeus malware through malicious MS Office documents titled OKX Binance & Huobi VIP fee comparision.xls instead of an MSI installer. This development was observed in October 2022.

The malicious document contained a macro divided into two parts. The first decoded a base64 blob containing a second OLE object, which contained a second macro.

Moreover, the first document also stored various variables, coded with base 64 to allow defining where the malware will be distributed in the affected system. In addition, the hackers also used OpenDrive to distribute the latest payload.

However, researchers were unable to retrieve the final payload deployed since October. They noted similarities in the DLL Side-loading mechanism as it was similar to the attacks involved MSI installer.