AppleJeus Malware Detection: North Korea-Linked Lazarus APT Spreads Malicious Strains Masquerading as Cryptocurrency Apps

AppleJeus Malware Detection

A notorious North Korea-backed APT group, Lazarus, continuously broadens its attack surface, leveraging fraudulent cryptocurrency apps to distribute the AppleJeus malware. In this latest adversary campaign, Lazarus hackers use fake cryptocurrency apps dubbed BloxHolder to drop AppleJeus malware, gain initial access to networks, and steal crypto assets.

During the last four years, Lazarus APT group has been specifically interested in attacking cryptocurrency and blockchain businesses for financial gain. For example, in April 2022, the TradeTraitor campaign by Lazarus came into the spotlight targeting trading, exchange, and investment-oriented companies, NFTs or crypto play-to-earn gaming businesses, as well as individual holders of cryptocurrency wallets and NFTs.

Detect AppleJeus Malware 

The Lazarus Group is a notorious hacking organization backed by the North Korean state. This APT group has been on the radar since at least 2009 and is suspected of being behind a number of high-profile campaigns, including cyberwarfare, cyberespionage, and ransomware attacks. To proactively defend against the latest Lazarus campaign distributing enhanced AppleJeus malware version, opt into downloading a batch of dedicated Sigma rules from SOC Prime´s Detection as Code platform: 

Sigma Rules to Detect AppleJeus Malware by Lazarus APT Group

All the detection content above is mapped to the MITRE ATT&CK® framework and supports translations to 25+ industry-leading SIEM, EDR, BDP, and XDR alert and query formats. The detection algorithms are provided both by the SOC Prime Team and our seasoned Threat Bounty developers, ensuring a variety of rules to match your threat profile and technology kit in use. 

Join our Threat Bounty Program for cyber defenders to create your own Sigma rules, publish them to the world’s largest threat detection marketplace, and earn money for your contribution. With SOC Prime’s Threat Bounty, you can literally code your CV, while gaining Sigma & ATT&CK knowledge and polishing Threat Hunting and Detection Engineering skills.

To date, SOC Prime Platform aggregates a variety of Sigma rules detecting tools and attack techniques associated with the Lazarus APT collective. Hit the Explore Detections button to check the detection algorithms accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.

Explore Detections

AppleJeus Malware Description: Attack Analysis of the Latest Activity by Lazarus APT

The state-sponsored North Korean Lazarus APT group also known as HIDDEN COBRA is behind a wave of new cyber attacks targeting network and cryptocurrency users by distributing fake crypto apps under the moniker BloxHolder and spreading AppleJeus malware on the compromised systems.

The hacking collective has been distributing AppleJeus since 2018 to steal cryptocurrency from targeted users. In February 2021, CISA, FBI, and the Department of Treasury (Treasury) issued a joint advisory with the details of AppleJeus malware along with mitigation recommendations. Lazarus APT group responsible for the delivery of this malware targeted individual users and organizations worldwide in multiple industry sectors, including cryptocurrency exchanges and financial institutions, attempting to steal cryptocurrency assets. According to this advisory, the North Korean nation-backed hacking collective was leveraging up to seven different AppleJeus variants since 2018, constantly upgrading and enriching them with enhanced capabilities. 

Volexity cybersecurity researchers were the first to observe a new activity of the Lazarus threat actors in June 2022, installing AppleJeus using weaponized Microsoft Office document files as lures to attract the attention of the targeted cryptocurrency users. Hackers registered a new domain name, bloxholder[.]com, for a cryptocurrency trading platform. The investigation has shown that the latter was a sheer clone of another legitimate website. Cybersecurity researchers came across this fake BloxHolder website, which gave a name to the related malicious campaign, after observing the AppleJeus malicious strain within the MSI file attempting to lure cryptocurrency users into downloading the crypto app and triggering the infection chain. As soon as the lure file installs the legitimate app, it creates a scheduled task and drops malicious files in the system folder, which results in deploying the novel variant of AppleJeus malware. 

In October 2022, the hacking collective advanced its malicious campaigns by leveraging Microsoft Office documents instead of the MSI installer to deliver AppleJeus. In the latest cyber attacks, Lazarus hackers have also enhanced their offensive capabilities by applying a chained DLL side-loading technique to load malware, which enables them to evade detection. In addition, in the most recent campaign spreading AppleJeus malware, all strings and API calls are obfuscated by leveraging a custom encryption algorithm, which poses another challenge to cyber defenders to timely identify the infection. 

Growing volumes of cyber attacks by the infamous state-backed Lazarus APT group and their increasing sophistication require ultra-responsiveness from cyber defenders. Browse socprime.com to search for Sigma rules against current and emerging threats, including malware affecting cryptocurrency users, and reach over 9,000 ideas for Detection Engineering and Threat Hunting along with comprehensive cyber threat context. Or upgrade to On Demand as part of our Cyber Monday deal valid through December, 31, and get up to 200 premium Sigma rules of your choice in addition to the detection stack available in your chosen package.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts