This cryptocurrency-stealing malware just got a significant upgrade and new tactics

The malware, linked to North Korean hackers, is after your bitcoin wallet.
Written by Danny Palmer, Senior Writer

A North Korea-backed hacking campaign targeting both Windows and macOS systems has been updated with new techniques and tools as it attempts to steal cryptocurrency from organisations and individuals around the world.

Dubbed Operation AppleJeus, the cyber-theft campaign has been in operation since at least 2018 and has been linked to the Lazarus Group, a state-sponsored hacking operation working on behalf of Pyongyang.

Despite its activities being detailed in 2018, AppleJeus has continued its cryptocurrency-stealing cyberattacks and now researchers at Kaspersky Lab have detailed how the hacking operation has enhanced its capabilities.

SEE: 10 tips for new cybersecurity pros (free PDF)

Attacks have been launched against businesses connected to cryptocurrency across the globe, with confirmed victims in the UK, Poland, Russia and China – although none have been publicly named.

The malware used in the attacks continues to target both Apple and Microsoft users, with both versions tweaked to improve their capabilities and to more subtly go under the radar, while the delivery method has also been improved.

There are also more versions of the malware, particularly when it comes to attacks targeting macOS. The Windows payload has also been altered significantly indicating a lot of development is going into the operation.

Previous incarnations of the campaign relied on coercing victims into downloading compromised third-party software, but now the mechanism of delivery appears to be phoney websites masquerading as cryptocurrency exchanges and bitcoin wallet hosts. Interacting with these websites begins the process of downloading the malware.

However, despite the resources likely to be available to Lazarus Group, researchers point out that while these fake websites initially look legitimate upon first look – with references to blockchain, ICOs and links to whitepapers – there are signs that suggest something isn't right. These include large amounts of links that don't work and contact details that lead to inactive messenger groups.

Even within the cryptocurrency space, the campaign appears to be carefully targeted, with the final payload only being delivered to selected systems after a reconnaissance mission that checks the infected system's information. Researchers note that this tactic is likely a means of evading detection.

While Lazarus Group is known to conduct cyber-espionage campaigns, the theft of cryptocurreny remains important to North Korea as a means of filling the treasury. Researchers aren't certain as to how much Operation AppleJeus has stolen, but the United Nations has reported that North Korea's attacks against banks and cryptocurrency exchanges have resulted in the theft of over $2 billion.

And despite the volatility of the cryptocurrency market, North Korea shows no signs of slowing down attacks in this space.

"The AppleJeus operation demonstrates that despite significant stagnation in the cryptocurrency markets, Lazarus continues to invest in cryptocurrency-related attacks, making them more sophisticated," said Seongsu Park, senior security researcher at Kaspersky Lab.

"Further changes and diversification of their malware demonstrates that there is no reason to believe that these attacks will not grow in numbers and become a more serious threat".

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

To protect against these attacks, Kaspersky Lab recommends that organisations dealing with cryptocurrency ensure that employees are trained about phishing so they can better distinguish fake websites and other phishing attacks.

Researchers also recommend that security teams should monitor vulnerabilities in systems – patching them when required and that users should only use reliable and proven cryptocurrency platforms.


Editorial standards