Telsy analyzed new samples related to the threat actor Lazarus Group and in particular to the 'AppleJeus Operation'.
While some of the details have changed, the methods used in the current scheme look very similar to how 'AppleJeus' worked previously.
They both use legitimate cryptotrading applications and both have a secondary program which is the malware component.
The hacker group released a trojanized version of the legitimate cryptotrading application “QtBitcoinTrader” even though unlike the previous operations the various stages of the infection all resided within the MSI package.
The MSI package embeds a malicious library, a shellcode and has a very low detection rate on Virustotal.
Also the installer after dropping its content in the directory '%appdata%/QtBitcoinTrader' copies the legit executable named 'CertEnrollCtrl.exe' in the same directory and then schedule it as a task.
The malicious library, “dsparse.dll” is loaded exploiting the 'DLL Side-Loading' technique, indeed it is loaded by the process 'CertEnrollCtrl.exe'.
The legit library 'dsparse.dll', as per the description of the metadata, implements the API for the active directory services. The purpose of the library is to load in memory a shellcode that run an embedded executable, that is the final backdoor.
The backdoor implements many commands and well defined communication protocol based on HTTP over TLS to the domain “digitalguarder.com”.
The domain “digitalguarder.com”, resolved to IP 188.8.131.52, has a legitimately signed Sectigo SSL certificate, which was 'Domain Control Validated' similar to the domain certificates for previous 'AppleJeus' variants as well as the IP address 184.108.40.206 is on the same ASN 22612.
Fill the form below to download the full report
Check other cyber reports on our blog.
This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.