Kaspersky: Lazarus continues Operation AppleJeus on cryptocurrency business with enhanced capabilities

North Korea’s Lazarus continues to attack the cryptocurrency business with enhanced capabilities. It has been discovered by Kaspersky cyber security experts, who unveiled in 2018 Operation AppleJeus. This marked the first time cybercrime hackers had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. Researchers today identified significant changes to the group’s attack methodology. To hit macOS users, Pyongyang’s hackers have developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload.

The cyber security experts: The Windows malware

The cyber security experts, during ongoing tracking of AppleJeus campaign, found that the infection started from a malicious file named WFCUpdater.exe. Lazarus used a multi-stage infection like before, but the method was different. The infection started from .NET malware, disguised as a WFC wallet updater. This is responsible for decrypting the WFC.cfg file in the same folder with a hardcoded 20-byte XOR key. This mimics the wallet updater connected to the C2 addresses. After that, it carries out the malware operator’s commands in order to install the next stage permanent payload. Cybercrime actor delivered two more files into the victim’s system folder: rasext.dll and msctfp.dat. They used the Remote Access Connection Manager Windows service to register the next payload with a persistence mechanism. After reconnaissance, the delivered payload is implanted by manually. 

The last macOS malicious code: UnionCryptoTrader

Cyber security experts identified also more heavily deformed macOS malware. Last one is UnionCryptoTrader. The post-install script is identical to that used in the JMTTrading case; North Korea’s hackers used SWIFT to develop it. Then, they changed the method for collecting information from the infected system. The malware starts to conduct authentication using auth_signature and auth_timestamp parameters in order to deliver the second-stage payload more carefully, and it acquires the current system time and combines it with the “12GWAPCT1F0I1S14” hardcoded string, and produces an MD5 hash of the combined string. This hash is used as the value of the auth_signature parameter and the current time is used as the value of the auth_timestamp parameter. So, Lazarus can reproduce the auth_signature value based on the auth_timestamp at the C2 server side. Finally, the malware loads the next stage payload without touching the disk.