What is AppleJeus?
AppleJeus is the name given by Kaspersky’s Security researchers to the operation conducted by Advanced Persistent Threat (APT) group called Lazarus (HIDDEN COBRA).
The operation aimed to trojanize what seemed to be a legitimate all-in-one style cryptocurrency trading program named Celas Trade Pro developed by Celas Limited (https://www.celasllc.com/) to deliver the malware Fallchill, a tool used in the past by the Lazarus Group and is on the rise again, which can run on non-Windows environment, such as MacOS.
The malware will enumerate and gather information about the target and send it to the attackers.
Researchers cannot say whether Celas LLC was compromised and the Lazarus Group found a way to abuse it by infecting the malware as an update process without doing modification directly to the trading application itself, or if the whole campaign was to create the ideal of a real application created what was previously thought to be a real company. Evidence gathered during research point to the latter, since the whole company’s C&C and SSL certificates share a lot of similarities and are now believed to be a malicious campaign since the beginning.
However, it is known that Lazarus Group was successful in compromising a number of banks and global cryptocurrency fintech companies in the past.
How does AppleJeus infect users?
The infection occurs when a victim downloads and installs the Celas Trade Pro trading application from the Celas LLC website, which in turn was trojanized with malware.
It is also known that the trojanized application was distributed by email and disguised as an update.
If you think you’re affected by this campaign, please contact us. LIFARS has conducted several engagements in the past that indicated Lazarus activity.
Indicators of Compromise (IOCs)
File Hashes (malicious documents, trojans, emails, decoys)
Same RC4 key Fallchill
Same C&C server Fallchill
Domains and IPs
www.celasllc[.]com/checkupdate.php (malware distribution URL)
Image credits: Wikipedia/Securelist.