U.S. Government cybersecurity experts have issued a security alert and analysis on AppleJeus malware used by North Korean threat actors to steal cryptocurrency.
In the joint alert, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the Department of Treasury (Treasury) published detailed analysis on the cyber threat dubbed “AppleJeus,” which has been attributed to the Lazarus Group. The cyber criminal group has been linked to North Korean state-sponsored advanced persistent threat (APT) actors.
Moreover, the report warns the APT actors are “targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.”
The U.S. Government also refers to North Korean government malicious cyber activity as HIDDEN COBRA.
AppleJeus background
AppleJeus malware was first discovered in 2018 when cybersecurity experts spotted the North Korean government using multiple versions of the malware. In the latest report, seven of the malware versions and indicators of compromise (IOC) have been analyzed.
The threat actors have used AppleJeus to target organizations in multiple sectors for cryptocurrency theft in over 30 countries. Those sectors include energy, finance, government, industry, technology and telecommunications.
Since January 2020, the following countries have been identified as AppleJeus targets: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States.
Malware samples
The alert also published links to the seven Malware Analysis Reports (MARs), with technical details on the following AppleJeus malware versions and associated IOCs:
- AppleJeus – Ants2Whale
- AppleJeus – Celas Trade Pro
- AppleJeus – CoinGoTrade
- AppleJeus – Dorusio
- AppleJeus – JMT Trading
- AppleJeus – Kupay Wallet
- AppleJeus – Union Crypto
The government cybersecurity experts further warned that the HIDDEN COBRA actors abused legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware. However, they have expanded infection vectors to phishing, social networking and social engineering to trick users into downloading the malware.