• WRAVEN
  • Posts
  • AppleJeus Malware Report

AppleJeus Malware Report

AppleJeus is a C2 connected malware spread by the North Korean "Lazarus" group.

AuthorAuthorAuthor

WRAVEN Team, Finley Burns & Lochlan McElroy
February 26, 2025

WRAVEN Malware Report: AppleJeus

Overview

Malware Name: AppleJeus
Attribution: Lazarus Group (North Korean APT)
Primary Target: Cryptocurrency Exchanges & Financial Institutions
Analysis Date: 02/19/2025

Summary

AppleJeus is a sophisticated malware campaign orchestrated by the Lazarus Group, a North Korean state-sponsored threat actor. Initially identified in 2018, AppleJeus has evolved into a multi-platform attack leveraging trojanized cryptocurrency trading applications. The malware primarily targets financial organizations and individuals involved in cryptocurrency transactions. AppleJeus employs social engineering, DLL side-loading, and advanced evasion tactics to establish persistent access and facilitate financial theft. The report details its variants, infection lifecycle, command-and-control (C2) mechanisms, and mitigation strategies.

Technical Analysis

General Information

Sample Name: 
Various (e.g., QtBitcoinTrader, BloxHolder)
MD5:
48971e0e71300c99bb585d328b08bc88
SHA-1:
ec8d7264953b5e9e416b7e8483954d9907278f2f
SHA-256: 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641File Type:
PE32 Executable / macOS DMG Installer
File Size:
Varies by Variant

Step-by-Step Execution Breakdown

  1. Delivery & Execution: Distributed via phishing emails, fake cryptocurrency exchanges, or trojanized installers. Applications appear legitimate but include a malicious updater.

  2. Reconnaissance: The malware’s updater module collects OS metadata and transmits it to C2 servers. Determines security software presence before proceeding.

  3. Payload Deployment: If deemed a viable target, the malware downloads and installs secondary payloads, including FALLCHILL RAT and custom backdoors.

  4. Persistence Mechanisms:

    • Windows: Scheduled tasks or registry modifications.

    • macOS: LaunchAgents and forged developer certificates to bypass Gatekeeper.

  5. Command & Control (C2) Communications: Employs encrypted channels, leveraging domains with legitimate SSL certificates (e.g., Sectigo-signed domains). Uses compromised infrastructure to disguise malicious activity.

  6. Data Exfiltration: Primary focus on cryptocurrency wallet keys, financial transaction data, and authentication credentials. Exploits wallet applications and keylogging techniques to intercept user activity.

Behavioral Analysis

Execution & Evasion

  • Trojanized installers execute upon launch, appearing as benign cryptocurrency trading apps.

  • Sandbox detection delays activation by 24-48 hours to evade automated analysis.

  • Utilizes legitimate system utilities (e.g., msiexec.exe, curl) to avoid detection.

Persistence Mechanisms

  • Windows:

    • DLL side-loading through dsparse.dll

    • Scheduled task creation for auto-execution

  • macOS:

    • Fake software updates

    • LaunchAgents with signed certificates

Network & Exfiltration

  • Encrypted C2 communications using bulletproof hosting providers.

  • Uses cloud storage platforms (e.g., OpenDrive) for malware hosting and payload retrieval.

MITRE ATT&CK Techniques Observed

  • Execution: Masquerading as Legitimate Software (T1036)

  • Persistence: DLL Side-Loading (T1574.002), Scheduled Task (T1053.005)

  • Defense Evasion: Obfuscated Files (T1027), Time-Based Evasion (T1497.003)

  • Credential Access: Input Capture (T1056.001), Cryptographic Key Theft (T1552.004)

  • Discovery: System Information Discovery (T1082), Software Discovery (T1518.001)

  • Exfiltration: Automated Transfer of Stolen Data (T1567.002)

Indicators of Compromise (IOCs)

File Hashes:

  • MD5:48971e0e71300c99bb585d328b08bc88

  • SHA-1:ec8d7264953b5e9e416b7e8483954d9907278f2f

  • SHA-256:9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641

Suspicious Processes:

  • QtBitcoinTrader.exe

  • BloxHolder.exe

  • msiexec.exe (misused for execution)

  • CertEnrollCtrl.exe (loaded with non-Microsoft DLLs)

Dropped Files:

  • C:\ProgramData\Microsoft\Windows\WER\Temp\dsparse.dll

  • /Library/LaunchAgents/com.apple.monitor.plist (macOS persistence)

Recommendations

  1. Restrict Execution of Untrusted Applications: Use application allowlisting to prevent execution of unauthorized software.

  2. Monitor for Suspicious Processes: Watch for execution of msiexec.exe and curl in unusual contexts.

  3. Enforce Strong Wallet Security Practices: Require hardware wallets and multi-signature authentication for cryptocurrency transactions.

  4. Enhance Endpoint Protection: Deploy behavioral monitoring to detect anomalies linked to DLL side-loading and credential theft.

  5. Patch and Update Regularly: Prioritize software updates for vulnerabilities exploited in AppleJeus campaigns (e.g., MSHTML vulnerabilities).

AppleJeus remains one of the most widespread financial cyber threats, illustrating the Lazarus Group’s persistence in targeting cryptocurrency infrastructure on behalf of the North Korean government. With continuous evolution in tactics, including deepfake social engineering and supply chain attacks, proactive defense measures and international cooperation are essential in mitigating its impact.

Stay safe out there! - WRAVEN

Report by: WRAVEN Malware Research Team
Authors: Fin Burns, Lochlan McElroy
Help from: Talon Nowicki, Bryant Quintana, Elijah Steinman, Austin Quakenbush
Contact: [email protected]
Date: 02/19/2025


Special thanks to:
Any.run
VirusTotal
PerplexityAI
Abuse.ch
JoeSecurity