AppleJeus

The email provided a link to the Celas’ website, celasllc[.]com ( Acquire Infrastructure: Domain [T1583.001])... Again, the malware was ... distributed on their website, jmttrading[.]org ( Acquire Infrastructure: Domain [T1583.001]).

This website contained a “Download from GitHub” button, which linked to JMT Trading’s GitHub page ( Acquire Infrastructure: Web Services [T1583.006]).

FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware ( Develop Capabilities: Malware [T1587.001]).

The installer looks legitimate and is signed by a valid Sectigo certificate ... ( Obtain Capabilities: Code Signing Certificates [T1588.003]).

The celasllc[.]com domain had a valid Sectigo ... SSL certificate ( Obtain Capabilities: Digital Certificates [T1588.004]).

Lazarus Group... is targeting individuals and companies... through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

Further research revealed that a phishing email from a Celas LLC company ( Phishing: Spearphishing Link [T1566.002]) recommended the trojanized cryptocurrency trading application to victims.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Creation and Deployment of Malicious Cryptocurrency Applications : Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.

The postinstall script is a sequence of instructions that runs after successfully installing an application ( Command and Scripting Interpreter: Unix Shell [T1059.004]).

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

...the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

The program UnionCryptoUpdater.exe first installs itself as a service ... which will automatically start when any user logs on ( Boot or Logon Autostart Execution [T1547]).

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

...the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

The program UnionCryptoUpdater.exe first installs itself as a service ... which will automatically start when any user logs on ( Boot or Logon Autostart Execution [T1547]).

Once permission is granted, the threat actor is able to run the program with elevated privileges ( Abuse Elevation Control Mechanism [T1548]).

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

Updater.exe ... collects the victim’s host information ( System Owner/User Discovery [T1033]), encrypts the collected information ... and sends information to a C2 website.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

BoomBox can encrypt data using AES prior to exfiltration. ROKRAT can encrypt data prior to exfiltration by using an RSA public key. Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.

Examples include 'AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS,' 'ChChes ... embeds data within the Cookie HTTP header,' 'GoldMax ... used custom HTTP cookies for C2,' and 'UPPERCUT ... sending error codes in Cookie headers.'

Upon executing the Gopuram backdoor, the malware connects to a C2 server and await further commands.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Examples include: "FIN4 has used HTTP POST requests to transmit data," "SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration," and "PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server."

Targeting of Cryptocurrency Companies and Theft of Cryptocurrency : Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.