The North Korean Lazarus Group, aka APT38, is one of the most sophisticated North Korean APTs. It’s been active since 2009 and is responsible for many high profile attacks.
In January of 2022 the Malwarebytes Intelligence Team uncovered a campaign where Lazarus conducted spear phishing attacks weaponized with malicious documents that used a familiar job opportunities theme. Now, researchers at Volexity have analyzed a new campaign that is likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by using malicious Microsoft Office documents.
The Lazarus group is commonly believed to be run by the North Korean government. It is thought to conduct financial cybercrimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions. One of the group’s preferred tactics is to use trojanized cryptocurrency related apps, like AppleJeus.
Since 2018, one of Lazarus Group’s tactics has been to disguise AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. In April, CISA warned that Lazarus Group uses these trojanized applications to gain access to victims’ computers, spread other malware, and steal private keys or to exploit other security gaps. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions.
The new campaign
The campaign started when Lazarus Group registered the domain bloxholder[.]com. The website Lazarus Group built there is a clone of the legitimate website HaasOnline. HaasOnline is a Dutch company that developed HaasScript which is a crypto scripting language that allows users to create complex automated trading algorithms.
The cloned website distributed a Windows MSI installer that pretended to be an installer for the BloxHolder app. In fact, it was the AppleJeus malware bundled with the QTBitcoinTrader app, an open source cryptocurrency trading application which has been used by Lazarus before.
The start screen of the BloxHolder installer
In the background, the installer creates a Scheduled Task which executes the legitimate executable CameraSettingsUIHost.exe at logon of any user on the affected system.
When an executable loads a dynamic link library (DLL) in Windows, it looks for the library in a few locations. The first three are:
- A specified location
- The same folder/directory the executable is in
- The system directory
The search for the DLL is done in that order and the first one found gets loaded. What we normally would expect to see is that the executable and the DLL would get dropped in the same directory, but in this campaign the threat actor used an extra step.
CameraSettingsUIHost.exe loads the legitimate dui70.dll from the system directory which then causes the load of the malicious DUser.dll which was dropped in the same directory as the executable. Why the group used this method instead of dropping a malicious dui70.dll in that directory is unclear.
In October 2022, Lazarus Group started using a malicious Microsoft Office document to deliver the AppleJeus malware. The document uses embedded macros to deploy malware on the target system. The purpose of the malware is to download a payload from the file-sharing service OpenDrive.
Cryptotrading platforms and applications have been the subject of many attacks and scams lately. It pays to be very careful in who you trust with your cryptocurrency and how you handle your trading.
Users that installed the BloxHolder msi may also find the application in their list of installed programs:
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.