Beware: State-based hackers are targeting cryptocurrency mining using AppleJeus malware

There is cyber-security news around to you that some malicious and fake crypto-trading applications are used to steal cryptocurrency from individual and companies.

These cryptocurrency treading applications were developed by a DPRK stated-sponsored threat-actor named Lazarus Group tracked by the U.S. as HIDDEN COBRA. The attacker used AppleJeus malware to inject these applications on targeted systems.

FBI, CISA and USA department of Treasury published an advisory on Wednesday, according to which, North Korean-based state hackers are responsible behind it.

“These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone,” the advisory reads.

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts.”

US agencies released seven malware analysis reports that tell the indicators of the compromise and also inform about each of the North Korean APT’s malicious apps used in the cryptocurrency theft campaign.

All the seven malware are the versions of AppleJeus malware detected in 2018. They were delivered as apparently benign apps through hackers’ controlled websites that mimic as some legit crpytocurrency trading sites.

According to CISA, “Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.”

The seven AppleJeus malware versions are:

  • MAR-10322463-1.v1: AppleJeus – Celas Trade Pro
  • MAR-10322463-2.v1: AppleJeus – JMT Trading
  • MAR-10322463-3.v1: AppleJeus – Union Crypto
  • MAR-10322463-4.v1: AppleJeus – Kupay Wallet
  • MAR-10322463-5.v1: AppleJeus – CoinGoTrade
  • MAR-10322463-6.v1: AppleJeus – Dorusio
  • MAR-10322463-7.v1: AppleJeus – Ants2Whale

Matt Hartman, the acting Executive Assistant Director of Cybersecurity at CISA, said, “This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors. The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.”

Lately, Three North Korean were charged by U.S Justice Department for stealing $1.4 billion money and cryptocurrency for attacks on banks, the entertainment industry, cryptocurrency companies, and other organizations. These are believed to be the member of Reconnaissance General Bureau (RGB) units, a North Korean military intelligence agency.

The DOJ said, “These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38)”.