Researchers discovered an ongoing sophisticated and heavily deformed malware campaign called “AppleJeus” launched by one of the world’s most active and notorious Hackers group Lazarus to target both Windows and macOS users.
Lazarus hackers initially started their AppleJues malware campaign in 2018, since then they have made significant changes in their attack methodology, and currently developed homemade macOS malware.
This new variant has added with authentication mechanism to deliver the next stage payload very carefully and load it without touching the disk.
To attack windows users, they have equipped the malware with a multi-stage infection procedure and significantly changed the final payload.
AppleJeus campaign mainly targeting the cryptocurrency businesses by continuously using the similar modus operandi, and it using the used public source code in order to build crafted macOS installers.
By analyzing the ongoing campaign, researchers uncovered that the attackers also compromised by Windows AppleJeus, but the couldn’t identify the initial stage of the installer.
AppleJeus Infection Process
A multi-stage infection process used to attack the windows based systems, and it starts with .NET malware that mimics WFC wallet updater.
The malware is responsible for decrypting the file ” WFC.cfg” and the wallet updater connected to the C2 and it solves the following IP.
- wfcwallet.com (resolved ip: 220.127.116.11)
- www.chainfun365.com (resolved ip: 18.104.22.168)
Later attackers utilizing the command line parameter to establish remote tunneling, the actor delivered more hacking tools and also researchers from Kaspersky identified the CenterUpdater.exe tool was used for creating tunneling to a remote host.
Researchers also found the Windows version of the UnionCryptoTrader and it utilizes the Telegram messenger for its execution process and their telegram group was identified in their fake website.
Kaspersky’s research team believed that the actor delivered the manipulated installer using the Telegram messenger.
The overall infection procedure was very similar to the WFCWallet case, but with an added injection procedure, and they only used the final backdoor payload instead of using a tunneling tool.
In the macOS malware, attackers called their fake website and application JMTTrading and the various other vendors have been reported about the mac version of AppleJues malware and the malicious application name, in this case, is UnionCryptoTrader.
Kaspersky researchers found several fake websites that represent the cryptocurrency trading, that was built by free web templates.
AppleJeus attacked several victims around the globe including the UK, Poland, Russia and China and also several victims are linked with cryptocurrency business entities.
The actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS downloader and changing the macOS development framework. Kaspersky said.