You all probably remember the AppleJeus malware that was used by Lazarus to target Mac devices in February. It is back!
Recently, the FBI and CISA published a joint advisory warning against the AppleJeus malware deployed by the Hidden Cobra threat actor. The group is launching attacks against financial services, cryptocurrency exchanges, and similar entities. The crypto-malware is being propagated via trojanized versions of crypto trading apps.
A glimpse into the history
AppleJeus started by the name of Celas Trade Pro in 2018 and allowed criminals to issue remote commands using a C2 server.
- The next instance was in 2019 in which the malware went as a cryptocurrency trading app.
- According to Malware Analysis Reports (MARs), threat actors have been impersonating trading apps including JMT Trading, Kupay Wallet, CoinGoTrade, Ants2Whale, Union Crypto, and Dorusio since 2018.
Recent Lazarus activities
- Lazarus, also known as Hidden Cobra, leveraged a previously undocumented backdoor, Vyveva, to attack a South African freight logistics firm.
- Only last month, the APT group was spotted broadening its arsenal with TFlower ransomware, as a double extortion tactic.
- In February, it used various strains of AppleJeus to steal cryptocurrency.
The bottom line
The agencies have recommended a series of mitigation measures—post-compromise and proactive—for organizations to follow in order to stay safe. Lazarus is an extremely vicious North-Korean state-sponsored threat group and the immense threat posed by the group cannot be ignored.