The infamous North Korean hacking group known as Lazarus has been connected to a brand new attack spreading bogus cryptocurrency applications under a made-up brand.
The products released by “BloxHolder” are designed install AppleJeus malware that empower threat actors with initial network access required to steal cryptocurrency assets.
According to a report that was issued by CISA and the FBI in February 2021, AppleJeus malware has been around since about 2018 and is commonly used by the Lazarus group in crypto hijacking and operations involving the theft of digital assets.
A recent study by analysts at Volexity has identified all-new fake cryptocurrency programs involving AppleJeus malware activity. The report indicated signs that the malware’s abilities and infection chain have now evolved, suggesting active development and deployment.
The BloxHolder crypto malware campaign
The brand new attack campaign linked to Lazarus began back in June 2022 and was active up until at around October of the same year. The campaign involved threat actors using a domain called “bloxholder.com”, which is a cloned version of the automated cryptocurrency trading site known as HaasOnline.
This fake site distributed a 12.7-megabyte Windows MSI installer that masqueraded as the BloxHolder application. However, it was really AppleJeus malware combined with the QTBitcoinTrader application in a bundle.
In October 2022, the hacking outfit evolved its campaign to employ Microsoft Office-type documents rather than the MSI installer for malware distribution.
The document, entitled “OKX Binance & Huobi VIP fee comparision.xls”, included a macro table to create three individual files on a victim’s device.
Analysts at Volexity could not recover the last payload from the October infection chain, but they observed many similarities within the DLL (dynamic link library) sideloading mechanism encountered in the previously employed MSI installer attacks. As a result, they are confident that this is part of the same campaign.
After installation via the MSI infection chain, the AppleJeus malware creates a scheduled task and drops additional files. The malware then collects the media access control (MAC) address, operating system version and computer name, then sends the data to the Command and Control (C2) server to identify whether it is running in a sandbox or on a virtual machine.
One intriguing element of the recent attack campaigns is the use of chained DLL sideloading for malware, loading from inside a trusted process to evade antivirus detection.
What is Lazarus?
Also known as Zinc, Lazarus is a North Korean-based hacking group, operating since around 2009.
The threat group gained notoriety when it hacked Sony Films during Operation Blockbuster, and was believed to be behind the world-famous 2017 global ransomware campaign WannaCry, which successfully encrypted businesses across the globe.
In 2019, the US government sanctioned the group and currently offers a reward of $5m (£4.1m) for any information that can interrupt its malicious activities.
The group’s more recent operations have involved spreading fake cryptocurrency wallets and crypto trading applications that contain a Trojan horse that steals users’ private keys before draining their crypto assets.
In April 2022, the US government attributed Lazarus group to an attack on Axie Infinity that enabled them to steal more than $617m (£506m) worth of USDC and Ethereum tokens.