Go to listing page

Lazarus Back with New Fake Crypto Apps Under the BloxHolder Brand

Lazarus Back with New Fake Crypto Apps Under the BloxHolder Brand
We are all acquainted with the name Lazarus group, the North Korea-sponsored APT group. It is well known for popping up with innovative schemes to make the most of its campaigns. Volexity researchers came across one such recent campaign that has been using fake cryptocurrency apps, under the fake brand BloxHolder.

Diving into details

BloxHolder is a made-up brand under which the Lazarus group is propagating its fake cryptocurrency apps to ultimately deploy the AppleJeus malware. The aim is to gain initial access to networks and steal cryptocurrency assets.
  • The campaign was initiated in June and lasted until October. Lazarus used the bloxholder[.]com domain, a copy of the HaasOnline automated crypto trading platform.
  • Initially, the threat actor used MSI installer to deliver AppleJeus, however, it shifted its tactics in October to use MS Office documents instead. 

Why this matters

  • The Lazarus group used DLL sideloading to load the malware from within a trusted process, possibly to evade detection and hinder malware analysis.
  • Furthermore, the strings and API calls in the recent AppleJeus samples are obfuscated via a personalized algorithm, ensuring it is stealthier against security protocols. 
  • In addition to the above, Lazarus group’s goal to keep pilfering cryptocurrency assets remains steadfast, with new themes and toolsets introduced in every campaign to maintain stealth.

More on Lazarus

In mid-November, Lazarus APT gang was found using the DTrack malware to attack organizations in the U.S., Germany, India, Italy, Brazil, Saudi Arabia, Turkey, Mexico, and Switzerland. 
  • It targeted government research centers, chemical manufacturers, utility service providers, policy institutes, and others.
  • In October, the Lazarus group and Mustang Panda were found using unsigned DLL loading to avoid detection. 
  • In this particular gang, the threat actors exploited a vulnerability in OneDrive to plant the main payload that impersonated an OneDrive library.

The bottom line

The Lazarus group's continued effort to target cryptocurrency users shows no signs of stopping, despite recent attention to its campaigns and tactics. In an attempt to evade detection, the group has even decided to use DLL sideloading. Moreover, the use of MS Office documents to deploy AppleJeus has not been recorded before.
Cyware Publisher

Publisher

Cyware