AppleJeus

The email provided a link to the Celas’ website, celasllc[.]com ( Acquire Infrastructure: Domain [T1583.001])... Again, the malware was ... distributed on their website, jmttrading[.]org ( Acquire Infrastructure: Domain [T1583.001]).

This website contained a “Download from GitHub” button, which linked to JMT Trading’s GitHub page ( Acquire Infrastructure: Web Services [T1583.006]).

FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware ( Develop Capabilities: Malware [T1587.001]).

The installer looks legitimate and is signed by a valid Sectigo certificate ... ( Obtain Capabilities: Code Signing Certificates [T1588.003]).

The celasllc[.]com domain had a valid Sectigo ... SSL certificate ( Obtain Capabilities: Digital Certificates [T1588.004]).

Lazarus Group... is targeting individuals and companies... through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

During the 3CX Supply Chain Attack, AppleJeus first compromised an "end-of-life" trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base.

Further research revealed that a phishing email from a Celas LLC company ( Phishing: Spearphishing Link [T1566.002]) recommended the trojanized cryptocurrency trading application to victims.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Creation and Deployment of Malicious Cryptocurrency Applications : Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.

The postinstall script is a sequence of instructions that runs after successfully installing an application ( Command and Scripting Interpreter: Unix Shell [T1059.004]).

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

The MSI Installer asks the victim for administrative privileges to run ( User Execution: Malicious File [T1204.002]).

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

...drops FALLCHILL onto the machine and installs it as a service ( Create or Modify System Process: Windows Service [T1543.003]).

...the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

The program UnionCryptoUpdater.exe first installs itself as a service ... which will automatically start when any user logs on ( Boot or Logon Autostart Execution [T1547]).

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

...drops FALLCHILL onto the machine and installs it as a service ( Create or Modify System Process: Windows Service [T1543.003]).

...the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

The program UnionCryptoUpdater.exe first installs itself as a service ... which will automatically start when any user logs on ( Boot or Logon Autostart Execution [T1547]).

Once permission is granted, the threat actor is able to run the program with elevated privileges ( Abuse Elevation Control Mechanism [T1548]).

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The leading “.” makes it unlisted in the Finder app or default Terminal directory listing ( Hide Artifacts: Hidden Files and Directories [T1564.001]).

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

Updater.exe ... collects the victim’s host information ( System Owner/User Discovery [T1033]), encrypts the collected information ... and sends information to a C2 website.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

BoomBox can encrypt data using AES prior to exfiltration. ROKRAT can encrypt data prior to exfiltration by using an RSA public key. Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.

Examples include 'AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS,' 'ChChes ... embeds data within the Cookie HTTP header,' 'GoldMax ... used custom HTTP cookies for C2,' and 'UPPERCUT ... sending error codes in Cookie headers.'

Upon executing the Gopuram backdoor, the malware connects to a C2 server and await further commands.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Targeting of Cryptocurrency Companies and Theft of Cryptocurrency : Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.