A infamous North Korean-backed APT group, Lazarus, is regularly increasing its assault floor, leveraging rogue cryptocurrency apps to distribute AppleJeus malware. On this newest adversarial marketing campaign, Lazarus hackers use faux cryptocurrency apps dubbed BloxHolder to drop AppleJeus malware, acquire preliminary entry to networks, and steal crypto property.
For the previous 4 years, the Lazarus APT group has been particularly inquisitive about attacking cryptocurrency and blockchain companies for monetary acquire. For instance, in April 2022, Lazarus’ TradeTraitor marketing campaign got here into the highlight focusing on buying and selling, change and investment-oriented corporations, NFTs or crypto gaming companies to earn, in addition to particular person holders of cryptocurrency wallets. cryptocurrencies and NFTs.
Detect AppleJeus malware
The Lazarus Group is a infamous North Korean state-backed hacking group. This APT group has been on the radar since at the least 2009 and is suspected of being behind a sequence of high-profile campaigns, together with cyberwarfare, cyberespionage, and ransomware assaults. To proactively defend towards the newest Lazarus marketing campaign distributing the improved model of AppleJeus malware, select to obtain a batch of devoted Sigma guidelines from the detection platform as code from SOC Prime:
Sigma Guidelines for Detecting AppleJeus Malware by Lazarus APT Group
The entire above detection content material maps to the MITER ATT&CK® framework and helps translations into over 25 industry-leading SIEM, EDR, BDP, and XDR alert and question codecs. Detection algorithms are supplied by each the SOC Prime Workforce and our skilled Risk Bounty builders, making certain quite a lot of guidelines to fit your risk profile and know-how package in use.
Be part of our Risk Bounty Program for cyber defenders to create your personal Sigma guidelines, publish them on the world’s largest risk detection market, and earn cash to your contribution. With SOC Prime’s Risk Bounty, you’ll be able to actually scramble your CV, whereas gaining information of Sigma and ATT&CK and honing your risk searching and detection engineering expertise.
So far, the SOC Prime Platform provides quite a lot of Sigma rule detection instruments and assault methods related to the Lazarus APT collective. hit the Discover detections button to examine the detection algorithms accompanied by the corresponding ATT&CK references, risk intelligence hyperlinks and different related metadata.
Discover detections
AppleJeus Malware Description: Assault Evaluation of Newest Exercise by Lazarus APT
The North Korean state-sponsored Lazarus APT group, also called HIDDEN COBRA, is behind a wave of recent cyberattacks focusing on community and cryptocurrency customers by distributing faux cryptographic apps below the title BloxHolder and spreading the AppleJeus malware. on compromised techniques.
The hacker collective has been distributing AppleJeus since 2018 to steal cryptocurrency from focused customers. In February 2021, CISA, the FBI, and the Treasury Division (Treasury) issued a joint advisory detailing the AppleJeus malware together with mitigation suggestions. The Lazarus APT group answerable for the supply of this malware focused particular person customers and organizations worldwide throughout a number of {industry} sectors, together with cryptocurrency exchanges and monetary establishments, who had been trying to steal cryptocurrency property. In response to this discover, the North Korean nation-backed hacker collective was leveraging as much as seven totally different variants of AppleJeus as of 2018, continuously updating and enriching them with improved capabilities.
Volexity cybersecurity researchers had been the primary to look at new exercise by Lazarus risk actors in June 2022, putting in AppleJeus utilizing weaponized Microsoft Workplace doc recordsdata as decoys to draw the eye of focused cryptocurrency customers. Hackers registered a brand new area title, bloxholder[.]com, for a cryptocurrency buying and selling platform. Investigation has proven that the latter was a pure clone of one other authentic web site. Cybersecurity researchers got here throughout this faux BloxHolder web site, which gave the associated malicious marketing campaign a reputation, after observing the malicious AppleJeus pressure contained in the MSI file that was attempting to lure cryptocurrency customers into downloading the app. of cryptocurrencies and set off the chain of an infection. As quickly because the decoy file installs the authentic utility, it creates a scheduled job and locations the malicious recordsdata within the system folder, ensuing within the deployment of the brand new AppleJeus malware variant.
In October 2022, the hacker collective furthered their malicious campaigns by leveraging Microsoft Workplace paperwork as a substitute of the MSI installer to ship AppleJeus. In current cyberattacks, Lazarus hackers have additionally enhanced their offensive capabilities by making use of a chained DLL sideloading approach to load malware, permitting them to evade detection. Moreover, within the newest marketing campaign spreading the AppleJeus malware, all strings and API calls are obfuscated by leveraging a customized encryption algorithm, posing one other problem for cyber defenders to establish the an infection early.
The growing volumes of cyberattacks by the notorious state-backed Lazarus APT group and their growing sophistication require a excessive responsiveness from cyber defenders. Discover socprime.com to seek for Sigma Guidelines towards present and rising threats, together with malware affecting cryptocurrency customers, and entry over 9,000 concepts for risk detection and searching engineering together with complete cyber risk context. Or improve to On Demand as a part of our Cyber Monday deal legitimate by means of December 31 and stand up to 200 premium Sigma rulers of your selection on high of the detection stack obtainable in your chosen bundle.
