United States – Lazarus, a North Korean hacking group, gets linked to a recent attack related to fake cryptocurrency applications or apps under BloxHolder. This hacking group steals real cryptocurrency behind the bogus app.
Lazarus is a hacking group from North Korea, and it recently got linked to a recent attack, spreading fake digital asset apps under BloxHolder, a made-up brand. The plan behind the spreading of bogus apps is to be able to install malware, which is AppleJeus, to initially access networks where they can steal real cryptocurrency assets.
Per a joint CISA and FBI report dated February 2021, the malware “AppleJeus” became the talk of the town in 2018. Lazarus used this malware to hijack cryptocurrency and do theft operations.
Volexity shared a new report where it identified new, bogus digital asset programs and activities of AppleJeus. The report also stated some signs of evolution in the infection abilities and chain of the malware.
The new movement ascribed to Lazarus began in June 2022, and the campaign was active until October 2022. The threat actors in the campaign utilized the bloxholder.com domain, a duplicate of the HaasOnline automated digital asset exchanging platform. This website distributed an installer, a 12.7MB-Windows MSI installer, and it pretended to be an app. However, instead of being the BloxHolder app, the AppleJeus malware comes with the QTBitcoinTrader app. The hacking group in October 2022 developed their movement to choose Microsoft Office documents over MSI installer to disseminate the malware. The 214KB document, which the group named “OKX Binance & Huobi VIP free comparison.xls,” had a macro that produced three files on the target computer.
Volexity can’t recover the final payload from the later corruption chain. However, they spotted similarities in the sideloading mechanism of the DLL, which they found in the past utilized MSI installer strikes. Hence, the group is confident that it’s the same movement in the past attacks involving MSI installers. AppleJeus will establish a scheduled activity and cut further files in the folder upon installation via the infection chain of MSI, which is “%APPDATA%\Roaming\Bloxholder\.”
The malware will gather the MAC address, OS version and computer name before sending it to the C2 through a POST request. One novel section in the last campaigns comes with the DLL sideloading to load the virus within a reliable process, eluding AV detection.
As per Volexity, the reason Lazarus chose the chained DLL sideloading is doubtful. However, it’s possible to hinder malware analysis. The hackers stayed fixed on the target to steal digital assets, despite having a well-documented focus.