Operation AppleJeus Sequel: Lazarus Continues to Attack the Cryptocurrency Business with Enhanced Capabilities (Jan 8, 2019)
According to Kaspersky Lab researchers, “Lazarus” Advanced Persistent Threat (APT) group has continued to target cryptocurrency businesses using macOS malware similar to the “Operation AppleJeus” attacks that took place in 2018, calling this new campaign the “Sequel” to Operation AppleJeus. The threat group leveraged public source code to build macOS installers, using similar post installer scripts, as well as the same command-line argument to execute the second-stage as the Operation AppleJeus macOS “Lazarus Loader” malware. The researchers suspect that the installer is delivered via Telegram messenger, due to the discovery of the threat actor’s Telegram group. Sequel modifications include the use of a malicious application called “UnionCryptoTrader” that executes from the Telegram messenger download folder. Other modifications include the use of GitHub to host the malware, using Object-C instead of the QT framework, and the use of a significantly different post-install script of macOS malware. Lazarus appears to have created fake cryptocurrency-themed websites for this campaign, but the pages did not work as intended, as most links that the researchers observed were not functional. While the identity of targeted victim organizations of the Operation AppleJeus Sequel campaign are undisclosed, the targeted victims were located in China, Poland, Russia, and the UK and were linked to cryptocurrency business entities.
Recommendation: It is important that businesses understand the threat landscape for their particular region and industry in relation to cyber threats. Understanding the landscape can help to prepare an organization with a security strategy that is best fitting the potential threat. While in this particular instance Lazarus is targeting cryptocurrency businesses, similar campaigns may target your specific industry, and security professionals within your business should be abreast of these potential threats.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.