Lazarus Operation: AppleJeus – Trojanized trading app

Advanced Persistent Threat Lifecycle (APT) Lifecycle Infographic

What is AppleJeus? 

AppleJeus is the name given by Kaspersky’s Security researchers to the operation conducted by Advanced Persistent Threat (APT) group called Lazarus (HIDDEN COBRA)

The operation aimed to trojanize what seemed to be a legitimate all-in-one style cryptocurrency trading program named Celas Trade Pro developed by Celas Limited (https://www.celasllc.com/) to deliver the malware Fallchill, a tool used in the past by the Lazarus Group and is on the rise again, which can run on non-Windows environment, such as MacOS. 

The malware will enumerate and gather information about the target and send it to the attackers. 

Researchers cannot say whether Celas LLC was compromised and the Lazarus Group found a way to abuse it by infecting the malware as an update process without doing modification directly to the trading application itself, or if the whole campaign was to create the ideal of a real application created what was previously thought to be a real company. Evidence gathered during research point to the latter, since the whole company’s C&C and SSL certificates share a lot of similarities and are now believed to be a malicious campaign since the beginning. 

However, it is known that Lazarus Group was successful in compromising a number of banks and global cryptocurrency fintech companies in the past. 

How does AppleJeus infect users? 

Celas Trade Application

Celas Trade Application


The infection occurs when a victim downloads and installs the Celas Trade Pro trading application from the Celas LLC website, which in turn was trojanized with malware

It is also known that the trojanized application was distributed by email and disguised as an update. 

If you think you’re affected by this campaign, please contact us. LIFARS has conducted several engagements in the past that indicated Lazarus activity. 

 

Indicators of Compromise (IOCs)

File Hashes (malicious documents, trojans, emails, decoys)
9e740241ca2acdc79f30ad2c3f50990a celastradepro_win_installer_1.00.00.msi
4126e1f34cf282c354e17587bb6e8da3 celastradepro_win_installer_1.00.00.msi
0bdb652bbe15942e866083f29fb6dd62 CelasTradePro-Installer.msi
48ded52752de9f9b73c6bf9ae81cb429 celastradepro_mac_installer_1.00.00.dmg
b054a7382adf6b774b15f52d971f3799 Updater.exe
ffae703a1e327380d85880b9037a0aeb Updater.exe
bbbcf6da5a4c352e8846bf91c3358d5c Updater.exe
0a15a33844c9df11f12a4889ae7b7e4b msn.exe
E1ed584a672cab33af29114576ad6cce uploadmgrsvc.dll
D8484469587756ce0d10a09027044808 uploadmgr.dat
D7089e6bc8bd137a7241a7ad297f975d 

Same RC4 key Fallchill
81c3a3c5a0129477b59397173fdc0b01
6cb34af551b3fb63df6c9b86900cf044
21694c8db6234df74102e8b5994b7627
5ad7d35f0617595f26d565a3b7ebc6d0
c501ea6c56ba9133c3c26a7d5ed4ce49
cafda7b3e9a4f86d4bd005075040a712
cea1a63656fb199dd5ab90528188e87c
6b061267c7ddeb160368128a933d38be
56f5088f488e50999ee6cced1f5dd6aa
cd6796f324ecb7cf34bc9bc38ce4e649 

Same C&C server Fallchill
94dfcabd8ba5ca94828cd5a88d6ed488
14b6d24873f19332701177208f85e776
abec84286df80704b823e698199d89f7 

File path
C:\Recovery\msn.exe
C:\Recovery\msndll.log
C:\Windows\msn.exe
C:\WINDOWS\system32\uploadmgrsvc.dll
C:\WINDOWS\system32\uploadmgr.dat 

Domains and IPs
www.celasllc[.]com/checkupdate.php (malware distribution URL)

196.38.48[.]121
185.142.236[.]226
80.82.64[.]91
185.142.239[.]173 


Source(s):
 
https://securelist.com/operation-applejeus/87553/
Image credits: Wikipedia/Securelist.