The FBI, CISA, and U.S. Department of Treasury have recently released a joint advisory to highlight the threat posed by North Korean state-backed hackers known as Lazarus Group using several variants of the AppleJeus malware.
The report has named a total of seven fake cryptocurrency trading applications, which have been developed or modified to include AppleJeus malware variants to steal cryptocurrency.
- Active since at least 2018, the wide-ranging cryptocurrency theft campaigns have reached so far using malicious applications, namely Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.
- Using these malicious applications infected with AppleJeus malware, threat actors have successfully targeted organizations worldwide.
- The hackers had used multiple initial infection vectors, such as phishing, social networking, and social engineering techniques to lure victims into downloading the malware.
- These fake cryptocurrency trading applications provide the attackers with a way to bypass international sanctions imposed on North Korea.
Lazarus group and malicious campaigns
- In January 2020, the Lazarus group had modified its methodology to target macOS users with manipulated applications to deliver AppleJeus.
- The threat actor had launched similar campaigns in October and December 2019 with the help of trojanized cryptocurrency trading applications to infect them with the malware.
With slight modifications in its techniques, the Lazarus group has been able to steal and launder hundreds of millions of dollars in cryptocurrency from cryptocurrency exchanges and individual accounts. In the past year alone, the group targeted cryptocurrency exchanges and financial service companies in 30 countries, which makes it a serious concern for cybersecurity professionals.