The North Korean ‘Lazarus’ hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, “BloxHolder,” to install the AppleJeus malware for initial access to networks and steal crypto assets.
According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations.
A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware’s infection chain and abilities.
New BloxHolder campaign
The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.
In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform.
This website distributed a 12.7MB Windows MSI installer that pretended to be the BloxHolder app. However, in reality, it was the AppleJeus malware bundled with the QTBitcoinTrader app.
In October 2022, the hacking group evolved their campaign to use Microsoft Office documents instead of the MSI installer to distribute the malware.
The 214KB document was named ‘OKX Binance & Huobi VIP fee comparision.xls’ and contained a macro that creates three files on a target’s computer.
Volexity couldn’t retrieve the final payload from this later infection chain, but they noticed similarities in the DLL sideloading mechanism found in the previously used MSI installer attacks, so they’re confident it’s the same campaign.
Upon installation through the MSI infection chain, AppleJeus will create a scheduled task and drop additional files in the folder “%APPDATA%RoamingBloxholder”.
Next, the malware will collect the MAC address, computer name, and OS version and send it to the C2 via a POST request, likely to identify if it’s running on a virtual machine or sandbox.
One novel element in recent campaigns is chained DLL sideloading to load the malware from within a trusted process, evading AV detection.
“Specifically, “CameraSettingsUIHost.exe” loads the “dui70.dll” file from the “System32” directory, which then causes the loading of the malicious “DUser.dll” file from the application’s directory into the “CameraSettingsUIHost.exe” process,” explains Volexity.
“The “dui70.dll” file is the “Windows DirectUI Engine” and is normally installed as part of the operating system.”
Volexity says the reason Lazarus opted for chained DLL sideloading is unclear but might be to impede malware analysis.
Another new characteristic in recent AppleJeus samples is that all its strings and API calls are now obfuscated using a custom algorithm, making them stealthier against security products.
Although Lazarus’ focus on cryptocurrency assets is well documented, the North Korean hackers remain fixed on their goal to steal digital money, constantly refreshing themes and improving tools to stay as stealthy as possible.
Who is the Lazarus Group
The Lazarus Group (also tracked as ZINC) is a North Korean hacking group that has been active since at least 2009.
The group gained notoriety after hacking Sony Films in Operation Blockbuster and the 2017 global WannaCry ransomware campaign that encrypted businesses worldwide.
Google discovered in January 2021 that Lazarus was creating fake online personas to target security researchers in social engineering attacks that installed backdoors on their devices. A second attack using this tactic was discovered in March 2021.
The U.S. government sanctioned the Lazarus hacking group in September 2019 and now offers a reward of up to $5 million for information that can disrupt their activities.
More recent attacks have turned to the spreading of trojanized cryptocurrency wallets and trading apps that steal people’s private keys and drain their crypto assets.
In April, the U.S. government linked the Lazarus group to a cyberattack on Axie Infinity that allowed them to steal over $617 million worth of Ethereum and USDC tokens.
It was later revealed that the Axie Infinity hack was made possible due to a phishing attack containing a malicious PDF file pretending to be a job offer sent to one of the company’s engineers.