digitalized North Korean flag

Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware

The North Korean Lazarus Group, aka APT38, is one of the most sophisticated North Korean APTs. It’s been active since 2009 and is responsible for many high profile attacks.

In January of 2022 the Malwarebytes Intelligence Team uncovered a campaign where Lazarus conducted spear phishing attacks weaponized with malicious documents that used a familiar job opportunities theme. Now, researchers at Volexity have analyzed a new campaign that is likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by using malicious Microsoft Office documents.

Lazarus Group

The Lazarus group is commonly believed to be run by the North Korean government. It is thought to conduct financial cybercrimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions. One of the group’s preferred tactics is to use trojanized cryptocurrency related apps, like AppleJeus.

AppleJeus

Since 2018, one of Lazarus Group’s tactics has been to disguise AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. In April, CISA warned that Lazarus Group uses these trojanized applications to gain access to victims’ computers, spread other malware, and steal private keys or to exploit other security gaps. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions.

The new campaign

The campaign started when Lazarus Group registered the domain bloxholder[.]com. The website Lazarus Group built there is a clone of the legitimate website HaasOnline. HaasOnline is a Dutch company that developed HaasScript which is a crypto scripting language that allows users to create complex automated trading algorithms.

The cloned website distributed a Windows MSI installer that pretended to be an installer for the BloxHolder app. In fact, it was the AppleJeus malware bundled with the QTBitcoinTrader app, an open source cryptocurrency trading application which has been used by Lazarus before.

BloxHolder installer

The start screen of the BloxHolder installer

In the background, the installer creates a Scheduled Task which executes the legitimate executable CameraSettingsUIHost.exe at logon of any user on the affected system.

DLL sideloading

When an executable loads a dynamic link library (DLL) in Windows, it looks for the library in a few locations. The first three are:

  1. A specified location
  2. The same folder/directory the executable is in
  3. The system directory

The search for the DLL is done in that order and the first one found gets loaded. What we normally would expect to see is that the executable and the DLL would get dropped in the same directory, but in this campaign the threat actor used an extra step.

CameraSettingsUIHost.exe loads the legitimate dui70.dll from the system directory which then causes the load of the malicious DUser.dll which was dropped in the same directory as the executable. Why the group used this method instead of dropping a malicious dui70.dll in that directory is unclear.

Second wave

In October 2022, Lazarus Group started using a malicious Microsoft Office document to deliver the AppleJeus malware. The document uses embedded macros to deploy malware on the target system. The purpose of the malware is to download a payload from the file-sharing service OpenDrive.

Be careful

Cryptotrading platforms and applications have been the subject of many attacks and scams lately. It pays to be very careful in who you trust with your cryptocurrency and how you handle your trading.

IOCs

Users that installed the BloxHolder msi may also find the application in their list of installed programs:

Afbeelding met tekst Automatisch gegenereerde beschrijving

Domains:

strainservice[.]com

bloxholder[.]com

rebelthumb[.]net

wirexpro[.]com

oilycargo[.]com

telloo[.]io

BloxHolder[.]com

Files:

%APPDATA%RoamingBloxholderCameraSettingsUIHost.exe

%APPDATA%RoamingBloxholderDUser.dll

%APPDATA%RoamingBloxholder18e190413af045db88dfbd29609eb877

BloxHolder_v1.2.5.msi

Scheduled Task:

%SYSDIR%TasksBloxholder*


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.