Hackers using fake crypto app to install to install the AppleJeus malware

Share post:

Hackers backed by North Korea’s government attempted to infect the computers of hundreds of people working in a variety of industries, including news media, IT, cryptocurrency, and financial services, Google said. It added that it is being used to install the AppleJeus malware for initial access to networks and steal crypto assets.

The vulnerability, identified as CVE-2022-0609, was exploited by two distinct North Korean hacking groups. Both groups used the same exploit kit on websites that were either legitimate organizations that had been hacked or were set up specifically to serve attack code to unsuspecting visitors. One group was called Operation Dream Job, and it targeted over 250 people from ten different companies. AppleJeus, the other group, targeted 85 users.

The website was used by the attackers to distribute a Windows MSI installer disguised as the BloxHolder app, which was used to install AppleJeus malware alongside the QTBitcoin Trader app.

The BloxHolder application was discovered to be installed alongside the open-source cryptocurrency trading application QTBitcoin Trader, which is available on GitHub.

The MSI file is used to simultaneously install malicious and legitimate applications. The researchers observed the Lazarus Group installing AppleJeus in October 2022 using a weaponized Microsoft Office document named ‘OKX Binance & Huobi VIP fee comparision.xls’ rather than an MSI installer.

AppleJeus will create a scheduled task and drop additional files in the folder “%APPDATA%RoamingBloxholder” after installation via the MSI infection chain. The malware will then collect the MAC address, computer name, and OS version and send it to the C2 via a POST request, most likely to determine whether it is running on a virtual machine or sandbox.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways