WOBURN, Mass. – (BUSINESS WIRE) – In 2018, Kaspersky & # 39; s Global Research and Analysis Team (GReAT) published findings on AppleJeus, an operation aimed at stealing cryptocurrency performed by the productive threat actor, Lazarus Group. Now new findings show that their operations are continuing with more careful steps by the notorious threat actor, improved tactics and procedures and the use of Telegram as one of the new attack vectors. Victims in the UK, Poland, Russia and China, along with various business entities associated with cryptocurrency, were affected during the operation.
The Lazarus group is one of the most active and productive Advanced Persistent Threat (APT) actors who have previously conducted a number of campaigns aimed at cryptocurrency related organizations. During their first AppleJeus operation in 2018, the threat actor created a fake cryptocurrency company to deliver their manipulated application and leverage a high level of trust among potential victims. This operation was characterized by Lazarus who built his first macOS malware. The application was downloaded by users of third-party websites and the malicious load was delivered via a disguised regular application update. The payload allowed the attacker to gain full control over the user's device and steal cryptocurrency.
Kaspersky researchers have recently identified important changes in the group's attack tactics in their "follow-up" operation. The attack vector in the attacks of Lazarus in 2019 was similar to that of the previous year, but with some improvements. This time, Lazarus created fake cryptocurrency-related websites that host links to fake organization Telegram channels and delivered malware through the messenger.
As with the first AppleJeus operation, the attack consisted of two phases. Users first download an application and the associated downloader takes the next load from an external server, allowing the attacker to fully control the infected device with a permanent back door. This time, however, the load was carefully delivered to evade detection by behavior-based detection solutions. In the event of attacks against macOS-based targets, an authentication mechanism was added to the macOS downloader and the development framework was changed. In addition, a fileless infection technique was used this time. When targeting Windows users, the attackers avoided using Fallchill malware (which was used in the first AppleJeus operation) and created malware that was only run on specific systems after being checked against a set of given values. These changes show that the threat actor has become more cautious in his attacks and has used new methods to prevent detection.
Lazarus has also made important changes to macOS malware and has expanded the number of versions. Unlike the previous attack, in which Lazarus used QtBitcoinTrader open source to build a manufactured macOS installation program, this time the threat actor started using his self-made code to build a malicious installation program. These developments mean that the threat actor continues to make changes to macOS malware, and our most recent detection was an intermediate result of these changes.
"The follow-up operation from AppleJeus shows that despite significant stagnation in the cryptocurrency markets, Lazarus continues to invest in cryptocurrency-related attacks by making them more advanced, " said Seongsu Park, Kaspersky's security researcher. "Further changes and diversification of their malware show that there is no reason to believe that these attacks will not grow in number and become a more serious threat."
The Lazarus group, known for its advanced operations and links with North Korea, is notorious not only because of its cyber espionage and cyber sabotage attacks, but also because of financially motivated attacks. A number of researchers, including those from Kaspersky, have previously reported that this group focuses on banks and other large financial companies.
For more information about the AppleJeus continuation, visit Securelist.com.
Kaspersky is a global cyber security company founded in 1997. Kaspersky & # 39; s threat and security information expertise is constantly changing into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the world. The company's comprehensive security portfolio includes industry-leading endpoint protection and a number of specialized security solutions and services to combat advanced and evolving digital threats. More than 400 million users are protected by Kaspersky technologies and we help 270,000 business customers protect what is most important to them. More information at usa.kaspersky.com.