US-CERT- AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Netwörkheäd · March 20, 2021, 06:17:43 PM

AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware

[html]Original release date: February 17, 2021 | Last revised: March 2, 2021 <h3>Summary</h3>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the <a href="https://attack.mitre.org/versions/v8/techniques/enterprise/">ATT&CK for Enterprise</a> for all referenced threat actor tactics and techniques.

This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People's Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a">FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks</a> and <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-106a">Guidance on the North Korean Cyber Threat</a>, North Korea's state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.[<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a">1</a>][<a href="https://home.treasury.gov/news/press-releases/sm924">2</a>][<a href="https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack">3</a>] The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit <a href="https://us-cert.cisa.gov/northkorea">https://www.us-cert.cisa.gov/northkorea</a>.

The U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as "AppleJeus." This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.

Refer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and associated IOCs.

<ul>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048a">MAR-10322463-1.v1: AppleJeus – Celas Trade Pro</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048b">MAR-10322463-2.v1: AppleJeus – JMT Trading</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048c">MAR-10322463-3.v1: AppleJeus – Union Crypto</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048d">MAR-10322463-4.v1: AppleJeus – Kupay Wallet</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048e">MAR-10322463-5.v1: AppleJeus – CoinGoTrade</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048f">MAR-10322463-6.v1: AppleJeus – Dorusio</a></li>
 <li><a href="https://us-cert.gov/ncas/analysis-reports/ar21-048g">MAR-10322463-7.v1: AppleJeus – Ants2Whale</a></li>
</ul>

<a href="https://us-cert.cisa.gov/sites/default/files/Joint_Cybersecurity_Advisory_AppleJeus%E2%80%93508.pdf">Click here</a> for a PDF version of this report.
<h3>Technical Details</h3>The North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.

<h3 class="italic">Targeted Nations</h3>

HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).

 

<img alt="" data-entity-type="file" data-entity-uuid="ca04f2c3-ef06-4bb4-b3f5-f674e05d3088" height="362" src="https://us-cert.cisa.gov/sites/default/files/publications/Jeus_1.png" width="690" /> 
  
Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020

<h3 class="italic">AppleJeus Versions Note</h3>

The version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns.

<h3 class="italic">AppleJeus Version 1: Celas Trade Pro</h3>

<h4>Introduction and Infrastructure</h4>

In August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim's computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (Develop Capabilities: Malware [<a href="https://attack.mitre.org/versions/v8/techniques/T1587/001/">T1587.001</a>]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[<a href="https://us-cert.cisa.gov/ncas/alerts/TA17-318A">4</a>]

Further research revealed that a phishing email from a Celas LLC company (Phishing: Spearphishing Link [<a href="https://attack.mitre.org/versions/v8/techniques/T1566/002/">T1566.002</a>]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas' website, <code>celasllc[.]com</code> (Acquire Infrastructure: Domain [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/001/">T1583.001</a>]), where the victim could download a Windows or macOS version of the trojanized application.

The <code>celasllc[.]com</code> domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021.

<ul>
 <li><code>45.199.63[.]220</code></li>
 <li><code>107.187.66[.]103</code></li>
 <li><code>145.249.106[.]19</code></li>
 <li><code>175.29.32[.]160</code></li>
 <li><code>185.142.236[.]213</code></li>
 <li><code>185.181.104[.]82</code></li>
 <li><code>198.251.83[.]27</code></li>
 <li><code>208.91.197[.]46</code></li>
 <li><code>209.99.64[.]18</code></li>
</ul>

The <code>celasllc[.]com</code> domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The SSL certificate was "Domain Control Validated," a weak security verification level that does not require validation of the owner's identity or the actual business's existence.

<h4>Celas Trade Pro Application Analysis</h4>

<h4>Windows Program</h4>

The Windows version of the malicious Celas Trade Pro application is an MSI Installer (<code>.msi</code>). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (Obtain Capabilities: Code Signing Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/003/">T1588.003</a>]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [<a href="https://attack.mitre.org/versions/v8/techniques/T1204/002">T1204.002</a>]).

Once permission is granted, the threat actor is able to run the program with elevated privileges (Abuse Elevation Control Mechanism [<a href="https://attack.mitre.org/versions/v8/techniques/T1548/">T1548</a>]) and MSI executes the following actions.

<ul>
 <li>Installs <code>CelasTradePro.exe</code> in folder <code>C:\Program Files (x86)\CelasTradePro</code></li>
 <li>Installs <code>Updater.exe</code> in folder <code>C:\Program Files (x86)\CelasTradePro</code></li>
 <li>Runs <code>Updater.exe</code> with the <code>CheckUpdate</code> parameters</li>
</ul>

The <code>CelasTradePro.exe</code> program asks for the user's exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The <code>Updater.exe</code> program has the same program icon as <code>CelasTradePro.exe</code>. When run, it checks for the <code>CheckUpdate</code> parameter, collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

<h4>macOS X Program</h4>

The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). It has very similar functionality to the Windows version. The installer executes the following actions.

<ul>
 <li>Installs <code>CelasTradePro</code> in folder <code>/Applications/CelasTradePro.app/Contents/MacOS/</code></li>
 <li>Installs <code>Updater</code> in folder <code>/Applications/CelasTradePro.app/Contents/MacOS</code></li>
 <li>Executes a <code>postinstall</code> script
 <ul>
 <li>Moves <code>.com.celastradepro.plist</code> to folder <code>LaunchDaemons</code></li>
 <li>Runs <code>Updater</code> with the <code>CheckUpdate</code> parameter</li>
 </ul>
 </li>
</ul>

<code>CelasTradePro</code> asks for the user's exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

<code>Updater</code> checks for the <code>CheckUpdate</code> parameter and, when found, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033]</a>), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]). This process helps the adversary obtain persistence on a victim's network.

The <code>postinstall</code> script is a sequence of instructions that runs after successfully installing an application (Command and Scripting Interpreter: AppleScript [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/002/">T1059.002</a>]). This script moves property list (<code>plist</code>) file <code>.com.celastradepro.plist</code> from the installer package to the <code>LaunchDaemons</code> folder (Scheduled Task/Job: Launchd [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/004/">T1053.004</a>]). The leading "." makes it unlisted in the Finder app or default Terminal directory listing (Hide Artifacts: Hidden Files and Directories [<a href="https://attack.mitre.org/versions/v8/techniques/T1564/001/">T1564.001</a>]). Once in the folder, this property list (<code>plist</code>) file will launch the <code>Updater</code> program with the <code>CheckUpdate</code> parameter on system load as Root for every user. Because the <code>LaunchDaemon</code> will not run automatically after the <code>plist</code> file is moved, the <code>postinstall</code> script launches the <code>Updater</code> program with the <code>CheckUpdate</code> parameter and runs it in the background (Create or Modify System Process: Launch Daemon [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/004/">T1543.004</a>]).

<h4>Payload</h4>

After a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (Obfuscated Files or Information [<a href="https://attack.mitre.org/versions/v8/techniques/T1027">T1027</a>]), which eventually drops FALLCHILL onto the machine and installs it as a service (Create or Modify System Process: Windows Service [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (Encrypted Channel: Symmetric Cryptography [<a href="https://attack.mitre.org/versions/v8/techniques/T1573/001">T1573.001</a>]). The key employed in these versions has also been used in a previous version of FALLCHILL.[<a href="https://us-cert.cisa.gov/ncas/alerts/TA17-318A">5</a>][<a href="https://attack.mitre.org/versions/v8/software/S0181/">6</a>]

For more details on AppleJeus Version 1: Celas Trade Pro, see <a href="https://us-cert.gov/ncas/analysis-reports/ar21-048a">MAR-10322463-1.v1</a>.

<h3 class="italic">AppleJeus Version 2: JMT Trading</h3>

<h4>Introduction and Infrastructure</h4>

In October 2019, a cybersecurity company identified a new version of the AppleJeus malware—JMT Trading—thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, <code>jmttrading[.]org</code> (Acquire Infrastructure: Domain [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/001/">T1583.001</a>]). This website contained a "Download from GitHub" button, which linked to JMT Trading's GitHub page (Acquire Infrastructure: Web Services [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/006">T1583.006</a>]), where Windows and macOS X versions of the JMT Trader application were available for download (Develop Capabilities: Malware [<a href="https://attack.mitre.org/versions/v8/techniques/T1587/001/">T1587.001</a>]). The GitHub page also included .zip and tar.gz files containing the source code.

The <code>jmttrading[.]org</code> domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021.

<ul>
 <li><code>45.33.2[.]79</code></li>
 <li><code>45.33.23[.]183</code></li>
 <li><code>45.56.79[.]23</code></li>
 <li><code>45.79.19[.]196</code></li>
 <li><code>96.126.123[.]244</code></li>
 <li><code>146.112.61[.]107</code></li>
 <li><code>184.168.221[.]40</code></li>
 <li><code>184.168.221[.]57</code></li>
 <li><code>198.187.29[.]20</code></li>
 <li><code>198.54.117[.]197</code></li>
 <li><code>198.54.117[.]198</code></li>
 <li><code>198.54.117[.]199</code></li>
 <li><code>198.54.117[.]200</code></li>
 <li><code>198.58.118[.]167</code></li>
</ul>

The <code>jmttrading[.]org</code> domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The SSL certificate was "Domain Control Validated," a weak security verification level that does not require validation of the owner's identity or the actual business's existence. The current SSL certificate was issued by Let's Encrypt.

<h4>JMT Trading Application Analysis</h4>

<h4 class="italic">Windows Program</h4>

The Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for <code>jmttrading[.]org</code> (Obtain Capabilities: Code Signing Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/003/">T1588.003</a>]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [<a href="https://attack.mitre.org/versions/v8/techniques/T1204/002">T1204.002</a>]).

Once permission is granted, the MSI executes the following actions.

<ul>
 <li>Installs <code>JMTTrader.exe</code> in folder <code>C:\Program Files (x86)\JMTTrader</code></li>
 <li>Installs <code>CrashReporter.exe</code> in folder <code>C:\Users\<username>\AppData\Roaming\JMTTrader</code></li>
 <li>Runs <code>CrashReporter.exe</code> with the <code>Maintain</code> parameter</li>
</ul>

The <code>JMTTrader.exe</code> program asks for the user's exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to <code>CelasTradePro.exe</code> and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The program <code>CrashReporter.exe</code> is heavily obfuscated with the ADVObfuscation library, renamed "snowman" (Obfuscated Files or Information [<a href="https://attack.mitre.org/versions/v8/techniques/T1027">T1027</a>]). When run, it checks for the <code>Maintain</code> parameter and collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]). The program also creates a scheduled SYSTEM task, named <code>JMTCrashReporter</code>, which runs <code>CrashReporter.exe</code> with the <code>Maintain</code> parameter at any user's login (Scheduled Task/Job: Scheduled Task [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/005">T1053.005</a>]).

<h4>macOS X Program</h4>

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

<ul>
 <li>Installs <code>JMTTrader</code> in folder <code>/Applications/JMTTrader.app/Contents/MacOS/</code></li>
 <li>Installs <code>.CrashReporter</code> in folder <code>/Applications/JMTTrader.app/Contents/Resources/</code>
 <ul>
 <li>Note: the leading "." makes it unlisted in the Finder app or default Terminal directory listing.</li>
 </ul>
 </li>
 <li>Executes a <code>postinstall</code> script
 <ul>
 <li>Moves <code>.com.jmttrading.plist</code> to folder <code>LaunchDaemons</code></li>
 <li>Changes the file permissions on the <code>plist</code></li>
 <li>Runs <code>CrashReporter</code> with the <code>Maintain</code> parameter</li>
 <li>Moves <code>.CrashReporter</code> to folder <code>/Library/JMTTrader/CrashReporter</code></li>
 <li>Makes <code>.CrashReporter</code> executable</li>
 </ul>
 </li>
</ul>

The <code>JMTTrader</code> program asks for the user's exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to <code>CelasTradePro</code> and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The <code>CrashReporter</code> program checks for the <code>Maintain</code> parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program's functionality in detail. When it finds the <code>Maintain</code> parameter, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

The <code>postinstall</code> script has similar functionality to the one used by <code>CelasTradePro</code>, but it has a few additional features (Command and Scripting Interpreter: AppleScript [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/002/">T1059.002</a>]). It moves the property list (<code><tt>plist</tt></code>) file <code>.com.jmttrading.plis</code>t from the Installer package to the <code>LaunchDaemons</code> folder (Scheduled Task/Job: Launchd [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/004/">T1053.004</a>]), but also changes the file permissions on the <code>plist</code> file. Once in the folder, this property list (<code>plist</code>) file will launch the <code>CrashReporter</code> program with the <code>Maintain</code> parameter on system load as Root for every user. Also, the <code>postinstall</code> script moves the <code>.CrashReporter</code> program to a new location <code>/Library/JMTTrader/CrashReporter</code> and makes it executable. Because the <code>LaunchDaemon</code> will not run automatically after the <code>plist</code> file is moved, the <code>postinstall</code> script launches <code>CrashReporter</code> with the <code>Maintain</code> parameter and runs it in the background (Create or Modify System Process: Launch Daemon [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/004/">T1543.004</a>]).

<h4>Payload</h4>

Soon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 <code>beastgoc[.]com</code> website went offline. There is not a confirmed sample of the payload to analyze at this point.

For more details on AppleJeus Version 2: JMT Trading, see <a href="https://us-cert.gov/ncas/analysis-reports/ar21-048b">MAR-10322463-2.v1</a>.

<h3 class="italic">AppleJeus Version 3: Union Crypto</h3>

<h4>Introduction and Infrastructure</h4>

In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, <code>unioncrypto[.]vip</code> (Acquire Infrastructure: Domain [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/001/">T1583.001</a>]). Although this website is no longer available, a cybersecurity researcher discovered a download link, <code>https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN</code>, recorded on VirusTotal for the macOS X version of <code>UnionCryptoTrader</code>. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a "Telegram Downloads" folder on an unnamed victim.[<a href="https://securelist.com/operation-applejeus-sequel/95596/">7</a>]

The <code>unioncrypto[.]vip</code> domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.

<ul>
 <li><code>104.168.167[.]16</code></li>
 <li><code>198.54.117[.]197</code></li>
 <li><code>198.54.117[.]198</code></li>
 <li><code>198.54.117[.]199</code></li>
 <li><code>198.54.117[.]200</code></li>
</ul>

The domain <code>unioncrypto[.]vip </code>had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The SSL certificate was "Domain Control Validated," a weak security verification level that does not require validation of the owner's identity or the actual business's existence.

<h4>Union Crypto Trader Application Analysis</h4>

<h4>Windows Program</h4>

The Windows version of the malicious cryptocurrency application is a Windows executable (<code>.exe</code>) (User Execution: Malicious File [<a href="https://attack.mitre.org/versions/v8/techniques/T1204/002">T1204.002</a>]), which acts as an installer that extracts a temporary MSI Installer.

The Windows program executes the following actions.

<ul>
 <li>Extracts <code>UnionCryptoTrader.msi</code> to folder <code>C:\Users\<username>\AppData\Local\Temp\{82E4B719-90F74BD1-9CF1-56CD777E0C42}</code></li>
 <li>Runs <code>UnionCryptoUpdater.msi</code>
 <ul>
 <li>Installs <code>UnionCryptoTrader.exe</code> in folder <code>C:\Program Files\UnionCryptoTrader</code></li>
 <li>Installs <code>UnionCryptoUpdater.exe in folder C:\Users\<username>\AppData\Local\UnionCryptoTrader</code></li>
 </ul>
 </li>
 <li>Deletes <code>UnionCryptoUpdater.msi</code></li>
 <li>Runs <code>UnionCryptoUpdater.exe</code></li>
</ul>

The program <code>UnionCryptoTrader.exe</code> loads a legitimate-looking cryptocurrency arbitrage application—defined as "the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset"—which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[<a href="https://github.com/butor/blackbird">8</a>]

The program <code>UnionCryptoUpdater.exe</code> first installs itself as a service (Create or Modify System Process: Windows Service [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [<a href="https://attack.mitre.org/versions/v8/techniques/T1547/">T1547</a>]). The service is installed with a description stating it "Automatically installs updates for Union Crypto Trader." When launched, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), combines the information in a string that is MD5 hashed and stored in the <code>auth_signature</code> variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

<h4>macOS X Program</h4>

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

<ul>
 <li>Installs <code>UnionCryptoTrader</code> in folder <code>/Applications/UnionCryptoTrader.app/Contents/MacOS/</code></li>
 <li>Installs <code>.unioncryptoupdater</code> in folder <code>/Applications/UnionCryptoTrader.app/Contents/Resources/</code>
 <ul>
 <li>Note: the leading "." makes it unlisted in the Finder app or default Terminal directory listing</li>
 </ul>
 </li>
 <li>Executes a <code>postinstall</code> script
 <ul>
 <li>Moves <code>.vip.unioncrypto.plist</code> to folder <code>LaunchDaemons</code></li>
 <li>Changes the file permissions on the <code>plist</code> to Root</li>
 <li>Runs <code>unioncryptoupdater</code></li>
 <li>Moves <code>.unioncryptoupdater</code> to folder <code>/Library/UnionCrypto/unioncryptoupdater</code></li>
 <li>Makes <code>.unioncryptoupdater</code> executable</li>
 </ul>
 </li>
</ul>

The <code>UnionCryptoTrader</code> program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.

The <code>.unioncryptoupdater</code> program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), combines the information in a string that is MD5 hashed and stored in the <code>auth_signature</code> variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

The <code>postinstall</code> script has similar functionality to the one used by JMT Trading (Command and Scripting Interpreter: AppleScript [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/002/">T1059.002</a>]). It moves the property list (<code>plist</code>) file <code>.vip.unioncrypto.plist</code> from the Installer package to the <code>LaunchDaemons</code> folder (Scheduled Task/Job: Launchd [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/004/">T1053.004</a>]), but also changes the file permissions on the <code>plist</code> file to Root. Once in the folder, this property list (<code>plist</code>) file will launch the <code>.unioncryptoupdater</code> on system load as Root for every user. The <code>postinstall</code> script moves the <code>.unioncryptoupdater</code> program to a new location <code>/Library/UnionCrypto/unioncryptoupdater</code> and makes it executable. Because the <code>LaunchDaemon</code> will not run automatically after the <code>plist</code> file is moved, the <code>postinstall</code> script launches <code>.unioncryptoupdater</code> and runs it in the background (Create or Modify System Process: Launch Daemon [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/004/">T1543.004</a>]).

<h4>Payload</h4>

The payload for the Windows malware is a Windows Dynamic-Link-Library. <code>UnionCryptoUpdater.exe</code> does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware.

The macOS X malware's payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above.

For more details on AppleJeus Version 3: Union Crypto, see <a href="https://us-cert.gov/ncas/analysis-reports/ar21-048c">MAR-10322463-3.v1</a>.

<h3 class="italic">Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto</h3>

<h4>Hardcoded Values</h4>

In each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1).

Table 1: AppleJeus hardcoded values and uses

<table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 600px; height: 312px; margin-left: auto; margin-right: auto;">
 <thead>
 <tr>
 <th scope="col">AppleJeus Version </th>
 <th scope="col">Value </th>
 <th scope="col">Use </th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="text-align-center" scope="col">1: Celas Trade Pro</td>
 <td class="text-align-center" scope="col">Moz&Wie;#t/6T!2y</td>
 <td class="text-align-center" scope="col">XOR encryption to send data</td>
 </tr>
 <tr>
 <td class="text-align-center" scope="col">1: Celas Trade Pro</td>
 <td class="text-align-center" scope="col">W29ab@ad%Df324V$Yd</td>
 <td class="text-align-center" scope="col">RC4 decryption</td>
 </tr>
 <tr>
 <td class="text-align-center" scope="col">2: JMT Trader Windows</td>
 <td class="text-align-center" scope="col">X,%`PMk--Jj8s+6=15:20:11</td>
 <td class="text-align-center" scope="col">XOR encryption to send data</td>
 </tr>
 <tr>
 <td class="text-align-center" scope="col">2: JMT Trader OSX</td>
 <td class="text-align-center" scope="col">X,%`PMk--Jj8s+6=\x02</td>
 <td class="text-align-center" scope="col">XOR encryption to send data</td>
 </tr>
 <tr>
 <td class="text-align-center" scope="col">3: Union Crypto Trader</td>
 <td class="text-align-center" scope="col">12GWAPCT1F0I1S14</td>
 <td class="text-align-center" scope="col">Combined with time for signature</td>
 </tr>
 </tbody>
</table>

 

The Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the <code>auth_signature</code>.

As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.

<h4>Open-Source Cryptocurrency Applications</h4>

All three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application.

<h4>Postinstall Scripts, Property List Files, and LaunchDaemons</h4>

The macOS X samples of all three AppleJeus versions contain <code>postinstall</code> scripts with similar logic. The Celas LLC <code>postinstall</code> script only moves the <code>plist</code> file to a new location and launches <code>Updater</code> with the <code>CheckUpdate</code> parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both <code>postinstall</code> scripts are to change the file permissions on the <code>plist</code>, make a new directory in the <code>/Library</code> folder, move <code>CrashReporter</code> or <code>UnionCryptoUpdater</code> to the newly created folder, and make them executable.

The <code>plist</code> files for all three AppleJeus files have identical functionality. They only differ in the files' names and one default comment that was not removed from the Celas LLC <code>plist</code>. As the logic and functionality of the postinstall scripts and plist files are almost identical, the <code>LaunchDaemons</code> created also function the same.

They will all launch the secondary executable as Root on system load for every user.

<h3 class="italic">AppleJeus Version 4: Kupay Wallet</h3>

<h4>Introduction and Infrastructure</h4>

On March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website <code>kupaywallet[.]com</code> (Acquire Infrastructure: Domain [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/001/">T1583.001</a>]).

The domain <code>www.kupaywallet[.]com</code> resolved to IP address <code>104.200.67[.]96</code> from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY.

The domain <code>www.kupaywallet[.]com</code> had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The SSL certificate was "Domain Control Validated," a weak security verification level that does not require validation of the owner's identity or the actual business's existence.

<h4>Kupay Wallet Application Analysis</h4>

<h4>Windows Program</h4>

The Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions.

<ul>
 <li>Installs <code>Kupay.exe</code> in folder <code>C:\Program Files (x86)\Kupay</code></li>
 <li>Installs <code>KupayUpgrade.exe</code> in folder <code>C:\Users\<username>\AppData\Roaming\KupaySupport</code></li>
 <li>Runs <code>KupayUpgrade.exe</code></li>
</ul>

The program <code>Kupay.exe</code> loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay.

The program <code>KupayUpgrade.exe</code> first installs itself as a service (Create or Modify System Process: Windows Service [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [<a href="https://attack.mitre.org/versions/v8/techniques/T1547/">T1547</a>]). The service is installed with a description stating it is an "Automatic Kupay Upgrade." When launched, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

<h4>macOS X Program</h4>

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

<ul>
 <li>Installs <code>Kupay</code> in folder <code>/Applications/Kupay.app/Contents/MacOS/</code></li>
 <li>Installs <code>kupay_upgrade</code> in folder <code>/Applications/Kupay.app/Contents/MacOS/</code></li>
 <li>Executes a <code>postinstall</code> script
 <ul>
 <li>Creates <code>KupayDaemon</code> folder in <code>/Library/Application Support</code> folder</li>
 <li>Moves <code>kupay_upgrade</code> to the new folder</li>
 <li>Moves <code>com.kupay.pkg.wallet.plist</code> to folder <code>/Library/LaunchDaemons/</code></li>
 <li>Runs the command <code>launchctl load</code> to load the <code>plist</code> without a restart</li>
 <li>Runs <code>kupay_upgrade</code> in the background</li>
 </ul>
 </li>
</ul>

<code>Kupay</code> is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows <code>Kupay.exe</code> program.

The <code>kupay_upgrade</code> program calls its function <code>CheckUpdate</code> (which contains most of the logic functionality of the malware) and sends a <code>POST</code> to the C2 server with a connection named "Kupay Wallet 9.0.1 (Check Update Osx)" (Application Layer Protocol: Web Protocols [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001</a>]). If the C2 server returns a file, it is decoded and written to the victim's folder <code>/private/tmp/kupay_update</code> with permissions set by the command <code>chmod 700</code> (only the user can read, write, and execute) (Command and Scripting Interpreter [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/">T1059</a>]). Stage 2 is then launched, and the malware, <code>kupay_upgrade</code>, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001</a>]).

The <code>postinstall</code> script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: AppleScript [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/002/">T1059.002</a>]). It creates the <code>KupayDaemon</code> folder in <code>/Library/Application</code> Support folder and then moves <code>kupay_upgrade</code> to the new folder. It moves the property list (<code>plist</code>) file <code>com.kupay.pkg.wallet.plist</code> from the Installer package to the <code>/Library/LaunchDaemons/</code> folder (Scheduled Task/Job: Launchd [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/004/">T1053.004</a>]). The script runs the command <code>launchctl load</code> to load the <code>plist</code> without a restart (Command and Scripting Interpreter [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/">T1059</a>]). But, since the LaunchDaemon will not run automatically after the <code>plist</code> file is moved, the <code>postinstall</code> script launches <code>kupay_upgrade</code> and runs it in the background (Create or Modify System Process: Launch Daemon [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/004/">T1543.004</a>]).

<h4>Payload</h4>

The Windows malware's payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc.

For more details on AppleJeus Version 4: Kupay Wallet, see <a href="https://us-cert.gov/ncas/analysis-reports/ar21-048d">MAR-10322463-4.v1</a>.

<h3 class="italic">AppleJeus Version 5: CoinGoTrade</h3>

<h4>Introduction and Infrastructure</h4>

In early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website <code>coingotrade[.]com</code> (Acquire Infrastructure: Domain [<a href="https://attack.mitre.org/versions/v8/techniques/T1583/001/">T1583.001</a>]).

The domain <code>CoinGoTrade[.]com</code> resolved to IP address <code>198.54.114[.]175</code> from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for <code>Dorusio[.]com</code> and <code>Ants2Whale[.]com</code>.

The domain <code>CoinGoTrade[.]com</code> had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [<a href="https://attack.mitre.org/versions/v8/techniques/T1588/004/">T1588.004</a>]). The SSL certificate was "Domain Control Validated," a weak security verification level that does not require validation of the owner's identity or the actual business's existence.

<h4>CoinGoTrade Application Analysis</h4>

<h4>Windows Program</h4>

The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions.

<ul>
 <li>Installs <code>CoinGoTrade.exe</code> in folder <code>C:\Program Files (x86)\CoinGoTrade</code></li>
 <li>Installs <code>CoinGoTradeUpdate.exe</code> in folder <code>C:\Users\<username>\AppData\Roaming\CoinGoTradeSupport</code></li>
 <li>Runs <code>CoinGoTradeUpdate.exe</code></li>
</ul>

<code>CoinGoTrade.exe</code> loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.

<code>CoinGoTradeUpdate.exe</code> first installs itself as a service (Create or Modify System Process: Windows Service [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [<a href="https://attack.mitre.org/versions/v8/techniques/T1547/">T1547</a>]). The service is installed with a description stating it is an "Automatic CoinGoTrade Upgrade." When launched, it collects the victim's host information (System Owner/User Discovery [<a href="https://attack.mitre.org/versions/v8/techniques/T1033">T1033</a>]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [<a href="https://attack.mitre.org/versions/v8/techniques/T1041">T1041</a>]).

<h4>macOS X Program</h4>

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

<ul>
 <li>Installs <code>CoinGoTrade</code> in folder <code>/Applications/CoinGoTrade.app/Contents/MacOS/</code></li>
 <li>Installs <code>CoinGoTradeUpgradeDaemon</code> in folder <code>/Applications/CoinGoTrade.app/Contents/MacOS/</code></li>
 <li>Executes a <code>postinstall</code> script
 <ul>
 <li>Creates <code>CoinGoTradeService</code> folder in <code>/Library/Application Support</code> folder</li>
 <li>Moves <code>CoinGoTradeUpgradeDaemon</code> to the new folder</li>
 <li>Moves <code>com.coingotrade.pkg.product.plist</code> to folder <code>/Library/LaunchDaemons/</code></li>
 <li>Runs <code>CoinGoTradeUpgradeDaemon</code> in the background</li>
 </ul>
 </li>
</ul>

The <code>CoinGoTrade</code> program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program).

The <code>CoinGoTradeUpgradeDaemon</code> program calls its function <code>CheckUpdate</code> (which contains most of the logic functionality of the malware) and sends a <code>POST</code> to the C2 server with a connection named "CoinGoTrade 1.0 (Check Update Osx)" (Application Layer Protocol: Web Protocols [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001]</a>). If the C2 server returns a file, it is decoded and written to the victim's folder <code>/private/tmp/updatecoingotrade</code> with permissions set by the command <code>chmod 700</code> (only the user can read, write, and execute) (Command and Scripting Interpreter [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/">T1059</a>]). Stage 2 is then launched, and the malware, <code>CoinGoTradeUpgradeDaemon</code>, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001</a>]).

The <code>postinstall</code> script has similar functionality to the other scripts (Command and Scripting Interpreter: AppleScript [<a href="https://attack.mitre.org/versions/v8/techniques/T1059/002/">T1059.002</a>]) and installs <code>CoinGoTrade</code> and <code>CoinGoTradeUpgradeDaemon</code> in folder <code>/Applications/CoinGoTrade.app/Contents/MacOS/</code>. It moves the property list (plist) file <code>com.coingotrade.pkg.product.plist</code> to the <code>/Library/LaunchDaemons/</code> folder (Scheduled Task/Job: Launchd [<a href="https://attack.mitre.org/versions/v8/techniques/T1053/004/">T1053.004</a>]). Because the <code>LaunchDaemon</code> will not run automatically after the <code>plist</code> file is moved, the <code>postinstall</code> script launches <code>CoinGoTradeUpgradeDaemon</code> and runs it in the background (Create or Modify System Process: Launch Daemon [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/004/">T1543.004</a>]).

<h4>Payload</h4>

The Windows malware's payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X <code>CoinGoTradeUpgradeDaemon</code>. These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload.

The file <code>prtspool</code> is a 64-bit Mach-O executable with a large variety of features t

deanwebb · March 21, 2021, 09:14:50 AM

So North Korea can't get money in legit channels... but ripping off people into cryptocurrency is one way to make some bucks!

US-CERT- AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Netwörkheäd

deanwebb