{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/applejeus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["applejeus","macos","lazarus group","backdoor","cryptocurrency"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Lazarus APT group is distributing a new variant of its AppleJeus macOS backdoor through a fake cryptocurrency trading application called \u0026ldquo;JMT Trader.\u0026rdquo; The attackers created a fake company and website (jmttrading.org) to distribute the malicious application. The JMTTrader_Mac.dmg disk image contains a package installer (JMTTrader.pkg) that installs the AppleJeus backdoor. The malware utilizes a launch daemon for persistence and communicates with a command-and-control server to receive instructions. This campaign, observed in October 2019, targets macOS users interested in cryptocurrency trading and highlights Lazarus Group\u0026rsquo;s continued focus on financial gain. The analyzed sample\u0026rsquo;s SHA1 hash is 74390fba9445188f2489959cb289e73c6fbe58e4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user is lured to the fake JMT Trading website (jmttrading.org) and downloads the JMTTrader_Mac.dmg disk image.\u003c/li\u003e\n\u003cli\u003eThe user mounts the disk image, which contains the JMTTrader.pkg installer.\u003c/li\u003e\n\u003cli\u003eThe user executes the JMTTrader.pkg installer, which prompts for administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe postinstall script within the package moves \u003ccode\u003e.org.jmttrading.plist\u003c/code\u003e to \u003ccode\u003e/Library/LaunchDaemons/org.jmttrading.plist\u003c/code\u003e and sets permissions.\u003c/li\u003e\n\u003cli\u003eThe script creates the \u003ccode\u003e/Library/JMTTrader\u003c/code\u003e directory and moves \u003ccode\u003e.CrashReporter\u003c/code\u003e to \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e, setting execute permissions.\u003c/li\u003e\n\u003cli\u003eThe script executes \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e with the \u003ccode\u003eMaintain\u003c/code\u003e command-line argument for initial connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCrashReporter\u003c/code\u003e binary connects to the C\u0026amp;C server at \u003ccode\u003ebeastgoc.com\u003c/code\u003e via HTTPS POST requests to \u003ccode\u003e/grepmonux.php\u003c/code\u003e, sending system information (token, version, PID) after XOR \u0026ldquo;encryption\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe backdoor awaits commands from the C\u0026amp;C server to perform malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection allows the Lazarus Group to gain persistent remote access to the compromised macOS system. This can lead to the theft of cryptocurrency, sensitive financial data, or further propagation of malware within the victim\u0026rsquo;s network. While specific victim counts are unavailable, previous AppleJeus campaigns have targeted cryptocurrency exchanges, potentially resulting in substantial financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e executing with the \u003ccode\u003eMaintain\u003c/code\u003e argument, using the Sigma rule \u0026ldquo;Detect AppleJeus CrashReporter Execution\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003ebeastgoc.com\u003c/code\u003e on TCP port 443, using the Sigma rule \u0026ldquo;Detect AppleJeus C2 Communication\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBlock the C\u0026amp;C domain \u003ccode\u003ebeastgoc.com\u003c/code\u003e at the DNS resolver to prevent initial communication.\u003c/li\u003e\n\u003cli\u003eInspect macOS systems for the presence of the launch daemon \u003ccode\u003e/Library/LaunchDaemons/org.jmttrading.plist\u003c/code\u003e and the \u003ccode\u003eCrashReporter\u003c/code\u003e binary in \u003ccode\u003e/Library/JMTTrader/\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-applejeus-macos/","summary":"The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C\u0026C server beastgoc.com.","title":"Lazarus Group's AppleJeus macOS Backdoor via JMT Trader","url":"https://feed.craftedsignal.io/briefs/2024-01-applejeus-macos/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["lazarus-group","macos","malware","fileless","applejeus"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Lazarus Group\u0026rsquo;s macloader malware, internally named \u0026lsquo;macloader\u0026rsquo; and externally identified as OSX.AppleJeus.C, exhibits advanced techniques for macOS malware. Discovered in late 2019, this malware employs a launch daemon for persistence at \u003ccode\u003e/Library/LaunchDaemons/vip.unioncrypto.plist\u003c/code\u003e pointing to \u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e. A key feature is its ability to execute second-stage payloads directly from memory, enhancing stealth and complicating forensic analysis. The malware communicates with its command and control (C\u0026amp;C) server at \u003ccode\u003ehttps://unioncrypto.vip/update\u003c/code\u003e to retrieve these payloads. This \u0026ldquo;fileless\u0026rdquo; execution capability makes it a potent threat, as the payloads never touch the file system. The malware beacons out providing basic system information (macOS version, serial number) and the implant version (\u0026ldquo;1.0\u0026rdquo;). This malware is notable for its in-memory execution of downloaded payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe malware is initially deployed on the system (delivery mechanism unspecified in the source).\u003c/li\u003e\n\u003cli\u003ePersistence is established via a launch daemon at \u003ccode\u003e/Library/LaunchDaemons/vip.unioncrypto.plist\u003c/code\u003e pointing to \u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware beacons out to the C\u0026amp;C server \u003ccode\u003ehttps://unioncrypto.vip/update\u003c/code\u003e to check for updates. It sends system information, including macOS version and serial number, in the POST request.\u003c/li\u003e\n\u003cli\u003eThe C\u0026amp;C server responds with an HTTP 200 OK, containing at least 0x400 bytes of base64-encoded data representing the second-stage payload.\u003c/li\u003e\n\u003cli\u003eThe malware base64-decodes the received data.\u003c/li\u003e\n\u003cli\u003eThe malware calculates an MD5 hash of the system\u0026rsquo;s serial number (prefixed with 0x18).\u003c/li\u003e\n\u003cli\u003eThe malware decrypts part of the decoded payload using AES-CBC with a key and IV.\u003c/li\u003e\n\u003cli\u003eThe malware loads and executes the decrypted second-stage payload directly from memory using the \u003ccode\u003eload_from_memory\u003c/code\u003e function. The final objective is to execute arbitrary code without writing to disk.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this malware allows attackers to gain a persistent foothold on macOS systems, execute arbitrary code, and potentially exfiltrate sensitive data. The fileless nature of the second-stage payload makes detection and forensic analysis significantly more challenging. The malware\u0026rsquo;s capabilities could be repurposed by other threat actors for various malicious activities, including espionage, data theft, or deployment of additional malware. The number of victims and specific sectors targeted are not specified in the source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch daemons with the name \u003ccode\u003evip.unioncrypto.plist\u003c/code\u003e and pointing to \u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e using a file integrity monitoring tool (related to Attack Chain step 2).\u003c/li\u003e\n\u003cli\u003eImplement a network detection rule to identify connections to the C\u0026amp;C server \u003ccode\u003eunioncrypto.vip\u003c/code\u003e (IOC - domain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Base64 Encoded Data in Process Memory\u0026rdquo; to identify potential in-memory payloads (related to Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eunioncryptoupdater\u003c/code\u003e to identify potential execution of the first-stage loader.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect MD5 Hash of System Serial Number\u0026rdquo; to identify potential MD5 hashing of the Mac OS serial number.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-lazarus-macloader/","summary":"The Lazarus group's macloader malware (OSX.AppleJeus.C) uses a launch daemon for persistence and executes downloaded payloads directly from memory, communicating with a C2 server to retrieve second-stage payloads, posing a significant threat due to its fileless execution and potential for repurposing.","title":"Lazarus Group Macloader Malware Analysis and Repurposing","url":"https://feed.craftedsignal.io/briefs/2024-01-lazarus-macloader/"}],"language":"en","title":"CraftedSignal Threat Feed — Applejeus","version":"https://jsonfeed.org/version/1.1"}