- Volexity has observed new activity tied to a North Korean threat actor that involves a campaign likely targeting cryptocurrency users and organizations.
- The threat actor is using a variant of the AppleJeus malware by way of malicious Microsoft Office documents.
- The analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading to load their payload.
Volexity has announced that the company has observed new activity related to the notorious North Korean hacker group known as Lazarus Group. The report shows that the threat actors are targeting cryptocurrency users and organizations with fake cryptocurrency apps to spread a variant of the AppleJeus malware by way of malicious Microsoft Office documents.
Live cryptocurrency-themed website
During the investigation, Volexity discovered a live cryptocurrency-themed website. Its contents are stolen from a legitimate cryptocurrency website, HaasOnline. The website, bloxholder[.]com, was registeerd in June of 2022. The website was discovered when a new AppleJeus malware sample that was bundled as part of a Microsoft Installation file was identified.
The application, which is also named BloxHolder, installs AppleJeus along the open-source cryptocurrency trading application QTBitcoinTrader, which is a legitimate application that can be found on GitHub. According to CISA’s reports, this is not the first time the hacker group is using the application. While installing the application, the MSI file also creates a scheduled task and additional malicious files. That task is executed at log-on and executes another legitimate executable, CameraSettingsUIHost.exe, a Microsoft file that assists with the usage of a webcam on the system, with two arguments, 18e190413af045db88dfbd29609eb877 and lion.
The second argument on the command line, “lion”, is the XOR key, which is 8 bytes in length, used to decode the file. The decoded PE file is a downloader that has two variants. It aims to collect data from the system and download shellcode from the command and control server. The following data is collected:
- MAC address
- Computer name
- OS version
The AppleJeus variant’s network communication is similar to that described in the previous reporting by Kaspersky and CISA. Volexity said,
« The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude detection, they have decided to use chained DLL side-loading to load their payload. Additionally, Volexity has not previously noted the use of Microsoft Office documents to deploy AppleJeus variants. Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances. »