HQ/EMEAFind out how we can help your business
A new malicious cryptocurrency application called ‘BloxHolder’ was spread by the North Korean hacking group Lazarus to inject the AppleJeus malware into victims’ devices and obtain initial access, eventually leading to crypto theft.
The AppleJeus malware was first detected in 2018 and used by the Lazarus gang in similar operations, which is digital asset theft. The most recent findings in AppleJeus’ activities showed signs of developed infection chain capabilities.
Analysts revealed that the new AppleJeus malware campaign was active until last October.
Initially detected in June 2022, the Lazarus gang was seen to have used the ‘bloxholder[.]com’ domain in the campaign, which is an imitation of the HaasOnline automated crypto trading platform. The malicious domain intends to spread the AppleJeus malware to victims interacting with the platform.
Come October, Lazarus shifted to using Microsoft Office files to distribute the malware, including one XLS file named ‘OKX Binance & Huobi VIP fee comparison’ containing a macro that creates three malicious files on a targeted computer.
Moreover, similarities were noticed between the new DLL sideloading mechanism and the previously used attack vector of the group, implying that it is the same campaign, only with different techniques.
Experts believe that Lazarus shifted their tactics to evade analysis. This finding is based on a new characteristic observed in the recent AppleJeus malware samples, involving its strings and API calls now better hidden using a custom algorithm that helps it be stealthier against security detections.
The Lazarus gang’s objectives of stealing digital assets from its victims remained as sophisticated as ever, with different and improved techniques deployed to evade detection and analysis while successfully launching attacks.
Also known as ZINC, the Lazarus group is a North Korean-linked cybercriminal group first seen active in 2009. One of the group’s major attacks was a hack on Sony Pictures, where employees’ and their families’ data was stolen, including internal emails, unreleased Sony films, and more.
In September 2019, the US government sanctioned the threat group, which led to a $5 million reward to anyone who could give information on how to disrupt their activities.
