Authors: Victor Sandin and Christopher Kim
1. Executive Summary
On 17 February, the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of
Investigation (FBI), and the Department of Treasury (Treasury) published a joint report to highlight the cyber threat posed to cryptocurrency by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK); the report also provides mitigation recommendations and indicators of compromise for detection.1 The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.2
According to these agencies, the Lazarus Group is an advanced persistent threat (APT) group sponsored by the North Korean government. Since 2018, it has been targeting individuals and companies that run cryptocurrency exchanges and financial services, with various versions of AppleJeus, a trojanized cryptocurrency trading application. It enables threat actors to gain access to victims’ systems to steal cryptocurrency, and it is compatible with both Windows and MacOS operating systems.
Lazarus has launched multiple versions of AppleJeus since Kaspersky discovered it in 2018.3 The following sections of this report describe the capabilities of seven different versions of the malware, and there are many similarities across them. All use a Sectigo Secure Sockets Layer (SSL) certificate for the website marketing the malware. This kind of certificate is only domain-validated – the lowest level of authentication used to validate SSL certificates.
2.1. Initial Vector
In early AppleJeus campaigns, Lazarus used fake websites disguised as legitimate cryptocurrency trading platforms to spread the malware. Lazarus now uses other additional initial infection vectors, such as socially engineered phishing emails and social networking.
AppleJeus campaigns have targeted several industry sectors, including energy, finance, government, industry, technology and telecommunications. The DPRK likely views cryptocurrency theft as an opportunity to circumvent international sanctions imposed on them. More than 30 countries have been impacted over the last year by Lazarus’ activity, including Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States.
2.3. AppleJeus Version 1: Celas Trade Pro
In this campaign – which was ongoing until at least late January 2021 – Lazarus used a phishing email that spoofed Celas LLC and lured victims into downloading a malicious program named Celas Trade Pro from the actor-controlled site celasllc[.]com. The program was a trojanized version of the legitimate cryptocurrency trading application, Q.T. Bitcoin Trader. The fake website allowed the victim to download either the Windows or MacOS version of the application.
When the user executed the Celas Trade Pro program, it installed and ran an embedded executable called Updater.exe,4 which collected victim host information, then encrypted the data with with a hard-coded XOR key (Moz&Wie;#t/6T!2y), prepended the encrypted data with the image header “GIF89a,” and finally sent the data to its command and control (C&C) server, celasllc[.]com/checkupdate[.]php. Celas Trade Pro eventually downloaded and installed FALLCHILL, a remote access trojan (RAT) attributed to North Korea by the U.S. government, inside the victim’s network.
From 29 May 2018 to 23 January 2021, the celasllc[.]com domain resolved to nine IPv4 addresses.
2.4. AppleJeus Version 2: JMT Trading
Kaspersky discovered this campaign with a new version of AppleJeus in October 2019, due to similarities to the original malware. The campaign continued to be active until at least January 2021, although on 11 October 2019, the files on GitHub were updated to clean, non-malicious installers soon after Kaspersky tweeted about it.
In this campaign, a fake but legitimate-appearing cryptocurrency trading company called JMT Trading marketed a trojanized application on its website jmttrading[.]org. Users were able to download either a Windows or MacOS-supported version via a link to the company’s GitHub page. The download included a ZIP archive and TAR files containing the malware source code.
When a user executed the JMT Trading application, it installed and ran an embedded and heavily-obfuscated executable named CrashReporter.exe,5 which collected victim host information and encrypted the data with a hard-coded XOR key (X,%`PMk–Jj8s+6=15:20:11). The malware then sent the encrypted information to its C&C server, https[:]//beastgoc.com/grepmonux.php, with a multipart form data separator (–wMKBUqjC7ZMG5A5g). Unlike the Windows version, the MacOS installer did not have a digital certificate and thus warned the user before installation.
From 15 October 2016 to 22 January 2021, the jmttrading[.]org domain resolved to 14 IPv4 addresses.
2.5. AppleJeus Version 3: Union Crypto
Two months after discovering the JMT Trading campaign above, Kaspersky found another new version of AppleJeus in December 2019 on Twitter. This malware version appears similar to another cryptocurrency application known as Blackbird Bitcoin Arbitrage and may even be a modification of this application. This version follows the previous AppleJeus versions’ pattern of imitating a legitimate cryptocurrency trading application, in this case Union Crypto, to market and distribute malware on the website unioncrypto[.]vip. Also similar to the previous versions, this one supports both Mac OS and Windows platforms. Through a VirusTotal report, a researcher found a download link (https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN) for the MacOS version of Union Crypto Trader. The open source community also found that the Windows version may have been distributed via the instant messaging service Telegram.
The Windows version consisted of an executable file that extracted a temporary MSI installer that dropped an embedded executable called UnionCryptoUpdater.exe.6 This executable installed itself as a service with a description stating it “Automatically installs updates for Union Crypto Trader.” It was set to run every time the user logged in, then collected the system information, combining it into a string that was MD5 hashed and stored in the auth_signature variable before sending it to its C&C server https[:]//unioncrypto[.]vip/update.
As with the previous version, the installer for MacOS had similar functionality to the Windows version, but it lacked a digital certificate and so the system will warn the user of that before installation.
From 5 June 2019 to 15 July 2020, the unioncrypto[.]vip domain resolved to five different IPv4 addresses.
2.6. AppleJeus Version 4: Kupay Wallet
Several months later, on 13 March 2020, researchers found another version of AppleJeus on kupaywallet[.]com, the website of the fake but legitimate-appearing cryptocurrency company named Kupay Wallet. It appeared to be active until at least January 2021, and following the pattern of supporting both Windows and MacOS platforms.
Once the the malware runs its executable (Kupay.exe), an embedded executable (KupayUpgrade.exe)7 is extracted and executed. It installs itself as a service (“Automatic Kupay Upgrade”) to run every time the user logs on, then collects victim system information, which is combined into strings and sent to the C&C server https[:]//kupaywallet[.]com/kupay_update.php. The Kupay Wallet malware is also capable of reading and writing files, as well as executing additional commands via the terminal.
This version is very similar to a legitimate open source cryptocurrency wallet known as Copay, which is distributed by the Atlanta-based company BitPay. Kupay appears to be a modification of this application, containing BitPay as the company listed in its version information, as well as sending a DNS request to bitpay[.]com following a request to its own domain.
From 20 March 2020, to 16 January 2021, the kupaywallet[.]com domain resolved to one IPv4 address.
2.7. AppleJeus Version 5: CoinGoTrade
Researchers found the fifth version of AppleJeus8 on the website for another fake cryptocurrency wallet called CoinGoTrade (coingotrade[.]com).
Following the previous patterns, CoinGoTrade was available for both Windows and MacOs. Once the user downloaded the executable, CoinGoTradeUpdate.exe9 installed itself as a service (“Automatic CoinGoTrade Upgrade”) to run every time the user logged on, collected victim system information, combined the information into strings and sent it to one of its C&C servers.
From February 28, 2020, to January 23, 2021, coingotrade[.]com resolved to one internet IPv4 address.
2.8. AppleJeus Version 6: Dorusio
The sixth version of AppleJeus was also identified In March 2020. It was marketed and distributed by a fake but legitimate-looking company called Dorusio, on dorusio[.]com. It is a trojanized version of Copay, and apart from the Dorusio logo and two additional services, the wallet appears to be the same as the Kupay Wallet, and was available for both Windows and MacOS.
Once the executable ran, the DorusioUpgrade.exe10 executable followed the same steps as other versions: it installed itself as a service (“Automatic Dorusio Upgrade”) to run every time the user logged on, collected victim system information, combined the information in strings and sent it to one of its C&C servers.
From 30 March 2020 to 23 January 2021 dorusio[.]com resolved to one internet IPv4 address.
2.9. AppleJeus Version 7: Ants2Whale
In late 2020, a new version of AppleJeus was identified that was marketed and distributed by a legitimate-looking company called Ants2Whale on their website, ants2whale[.]com. In this case, the website contained many grammatical errors indicating that the author was not likely a native English speaker. The website also stated the user must contact the website administrators to download Ants2Whale because it is a premium package.
Following the previous patterns, Ants2Whale was available for both Windows and MacOS; however, only the MacOS version was available for analysis. Analysis of the MacOS version confirmed that Ants2Whale11 used the same techniques described in previous versions.
From 23 September 2020 to 22 January 2021 ants2whale[.]com domain resolved to one IPv4 address.
3. Prevention and Mitigation
According to CISA, organizations whose networks have been infected by AppleJeus should immediately take these initial actions:
- Contact the FBI, CISA, or Treasury12 immediately regarding any identified activity related to AppleJeus.
- Initiate an incident response plan.
- Create new keys for wallets, and/or move cryptocurrency to new wallets.
- Introduce a two-factor authentication solution as an extra layer of verification.
- Use hardware wallets, which keep the private keys in a separate, secured storage area.
- Move funds out of a compromised wallet. Do not use the malware listed in this advisory to transfer funds, and form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them.
- Isolate impacted hosts from the network and reimage them.
- Assume the threat actors have moved laterally within the network and downloaded additional malware. Create isolated subnets to block any communication between possible impacted hosts and the rest of the network.
- Change all passwords to any accounts associated with impacted hosts. Ensure that there is no future credential reuse.
- Install anti-virus software to run daily deep scans of the host and keep them updated with the latest signatures daily.
- Install a Host Based Intrusion Detection (HIDS)-based software and keep it up-to-date.
- Ensure all software and hardware is up-to-date, and all patches have been installed. Follow the principle of least privilege, to reduce the risk surface of various assets.
- Ensure the network-based firewall is installed and/or up-to-date, and apply appropriate firmware upgrades on a regular basis.
To mitigate and reduce the risk of being affected by AppleJeus, consider the following recommendations:
3.1 Cryptocurrency Users
- Verify the source of cryptocurrency-related applications and avoid installing applications downloaded from the Internet without confirming its legitimacy.
- Use multiple wallets for key storage, splitting the cryptocurrency appropriately between cold and hot storage.
- Enable multi-factor authentication for both user and device verification. Pay special attention to any suspicious logins.
- Prioritise cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.
- Consider having a dedicated device for cryptocurrency management. Hardware wallets offer an extra layer of protection by keeping the keys separately.
- Rotate credentials regularly and use unique strong passwords for each service.
3.2 Financial Service Companies
- Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks.13
- Report suspicious cyber and financial activities.
3.3 Cryptocurrency Businesses
- Comply with the Cryptocurrency Security Standard.14
3.4 All Organizations
- Add the listed IOCs in the table below to intrusion detection systems and security alert systems to block and report any suspicious activity.
- Maintain a proper security policy and stay vigilant through official authorities channels and security vendors for any updates regarding this threat actor.
4. Indicators of Compromise
Below is a list of known IOCs related to this attack.
AppleJeus Version 1 domain, IP addresses and C&Cs
|AppleJeus Version 2 domain, IP addresses and C&Cs|
AppleJeus Version 3 domain, IP addresses and C&Cs
AppleJeus Version 3 file hashes
|AppleJeus Version 4 domain, IP addresses and C&C|
AppleJeus Version 4 file hashes
AppleJeus Version 5 domain, IP addresses and C&Cs
AppleJeus Version 5 file hashes
AppleJeus Version 6 domain and IP addresses
AppleJeus Version 6 file hashes
AppleJeus Version 7 domain and IP addresses
AppleJeus Version 7 file hashes
- The alert https://us-cert.cisa.gov/ncas/alerts/aa21-048a gives a discovery timeframe of “early 2020;” however, the report https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e lists the discovery timeframe of October 2020.