https://feed.craftedsignal.io/tags/applejeus/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:30:00 +0000https://feed.craftedsignal.io/briefs/2024-01-applejeus-macos/Wed, 03 Jan 2024 15:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-applejeus-macos/The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C&C server beastgoc.com.The Lazarus APT group is distributing a new variant of its AppleJeus macOS backdoor through a fake cryptocurrency trading application called “JMT Trader.” The attackers created a fake company and website (jmttrading.org) to distribute the malicious application. The JMTTrader_Mac.dmg disk image contains a package installer (JMTTrader.pkg) that installs the AppleJeus backdoor. The malware utilizes a launch daemon for persistence and communicates with a command-and-control server to receive instructions. This campaign, observed in October 2019, targets macOS users interested in cryptocurrency trading and highlights Lazarus Group’s continued focus on financial gain. The analyzed sample’s SHA1 hash is 74390fba9445188f2489959cb289e73c6fbe58e4.

Attack Chain

1. A user is lured to the fake JMT Trading website (jmttrading.org) and downloads the JMTTrader_Mac.dmg disk image.
2. The user mounts the disk image, which contains the JMTTrader.pkg installer.
3. The user executes the JMTTrader.pkg installer, which prompts for administrative privileges.
4. The postinstall script within the package moves .org.jmttrading.plist to /Library/LaunchDaemons/org.jmttrading.plist and sets permissions.
5. The script creates the /Library/JMTTrader directory and moves .CrashReporter to /Library/JMTTrader/CrashReporter, setting execute permissions.
6. The script executes /Library/JMTTrader/CrashReporter with the Maintain command-line argument for initial connection.
7. The CrashReporter binary connects to the C&C server at beastgoc.com via HTTPS POST requests to /grepmonux.php, sending system information (token, version, PID) after XOR “encryption”.
8. The backdoor awaits commands from the C&C server to perform malicious activities.

Impact

Successful infection allows the Lazarus Group to gain persistent remote access to the compromised macOS system. This can lead to the theft of cryptocurrency, sensitive financial data, or further propagation of malware within the victim’s network. While specific victim counts are unavailable, previous AppleJeus campaigns have targeted cryptocurrency exchanges, potentially resulting in substantial financial losses.

Recommendation

• Monitor process creations for /Library/JMTTrader/CrashReporter executing with the Maintain argument, using the Sigma rule “Detect AppleJeus CrashReporter Execution”.
• Monitor network connections to beastgoc.com on TCP port 443, using the Sigma rule “Detect AppleJeus C2 Communication”.
• Block the C&C domain beastgoc.com at the DNS resolver to prevent initial communication.
• Inspect macOS systems for the presence of the launch daemon /Library/LaunchDaemons/org.jmttrading.plist and the CrashReporter binary in /Library/JMTTrader/.

]]>highthreatapplejeusmacoslazarus groupbackdoorcryptocurrencyhttps://feed.craftedsignal.io/briefs/2024-01-lazarus-macloader/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-lazarus-macloader/The Lazarus group's macloader malware (OSX.AppleJeus.C) uses a launch daemon for persistence and executes downloaded payloads directly from memory, communicating with a C2 server to retrieve second-stage payloads, posing a significant threat due to its fileless execution and potential for repurposing.The Lazarus Group’s macloader malware, internally named ‘macloader’ and externally identified as OSX.AppleJeus.C, exhibits advanced techniques for macOS malware. Discovered in late 2019, this malware employs a launch daemon for persistence at /Library/LaunchDaemons/vip.unioncrypto.plist pointing to /Library/UnionCrypto/unioncryptoupdater. A key feature is its ability to execute second-stage payloads directly from memory, enhancing stealth and complicating forensic analysis. The malware communicates with its command and control (C&C) server at https://unioncrypto.vip/update to retrieve these payloads. This “fileless” execution capability makes it a potent threat, as the payloads never touch the file system. The malware beacons out providing basic system information (macOS version, serial number) and the implant version (“1.0”). This malware is notable for its in-memory execution of downloaded payloads.

Attack Chain

1. The malware is initially deployed on the system (delivery mechanism unspecified in the source).
2. Persistence is established via a launch daemon at /Library/LaunchDaemons/vip.unioncrypto.plist pointing to /Library/UnionCrypto/unioncryptoupdater.
3. The malware beacons out to the C&C server https://unioncrypto.vip/update to check for updates. It sends system information, including macOS version and serial number, in the POST request.
4. The C&C server responds with an HTTP 200 OK, containing at least 0x400 bytes of base64-encoded data representing the second-stage payload.
5. The malware base64-decodes the received data.
6. The malware calculates an MD5 hash of the system’s serial number (prefixed with 0x18).
7. The malware decrypts part of the decoded payload using AES-CBC with a key and IV.
8. The malware loads and executes the decrypted second-stage payload directly from memory using the load_from_memory function. The final objective is to execute arbitrary code without writing to disk.

Impact

Successful execution of this malware allows attackers to gain a persistent foothold on macOS systems, execute arbitrary code, and potentially exfiltrate sensitive data. The fileless nature of the second-stage payload makes detection and forensic analysis significantly more challenging. The malware’s capabilities could be repurposed by other threat actors for various malicious activities, including espionage, data theft, or deployment of additional malware. The number of victims and specific sectors targeted are not specified in the source.

Recommendation

• Monitor for the creation of launch daemons with the name vip.unioncrypto.plist and pointing to /Library/UnionCrypto/unioncryptoupdater using a file integrity monitoring tool (related to Attack Chain step 2).
• Implement a network detection rule to identify connections to the C&C server unioncrypto.vip (IOC - domain).
• Deploy the Sigma rule “Detect Base64 Encoded Data in Process Memory” to identify potential in-memory payloads (related to Attack Chain step 5).
• Monitor process creation events for unioncryptoupdater to identify potential execution of the first-stage loader.
• Implement the Sigma rule “Detect MD5 Hash of System Serial Number” to identify potential MD5 hashing of the Mac OS serial number.

]]>highthreatlazarus-groupmacosmalwarefilelessapplejeus