Unlike the apple juice enjoyed by many a youngster, the newly discovered AppleJeus looks pretty rotten, according to new research from Kaspersky Lab.
Researchers have discovered the advanced persistent threat group Lazarus using AppleJeus, a new malicious operation. While assisting with incident response efforts in previous attacks from the group, researchers unexpectedly identified an attacker penetrating the network of a cryptocurrency exchange in Asia. The attacker used Trojanized cryptocurrency trading software, with the reported goal of stealing cryptocurrency from victims.
A previously unidentified version of a Windows-based malware was targeting the macOS platform, according to today's press release. The group was able to compromise the stock exchange's infrastructure by bamboozling an unsuspecting employee into downloading a third-party application from a specious website.
"The application’s code is not suspicious, with the exception of one component – an updater. In legitimate software, such components are used to download new versions of programs," Kaspersky wrote in the press release.
"In the case of AppleJeus, it acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update."
Though the operation looks similar to a supply-chain attack, it is reportedly not, because the vendor of the cryptocurrency trading software has a valid certification for signing its software and legitimate registration records for the domain.
“We noticed a growing interest of the Lazarus group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator. Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations,” noted Vitaly Kamluk, head of GReAT APAC, Kaspersky Lab.
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," Kamluk said. "For macOS users this case is a wake-up call, especially if they use their Macs to perform operations with cryptocurrencies.”