North Korea (Lazarus Group): In 2018, Lazarus Group was linked to an operation that was dubbed “AppleJeus.” This operation was unique in the fact that it was the first time that Lazarus Group was noted targeting macOS. Recent analysis has revealed that the operation is still ongoing and has undergone significant changes. In order to continue successfully targeting macOS users, Lazarus Group has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, while keeping the next-stage payload from touching the disk. For Windows users, the group developed a multi-stage infection procedure and a different final payload. Analysis of the Windows’ payload has yet to yield information about the initial installer, but it was established that the infection was started from a malicious file named WFCUpdater.exe. At the time of the infection that revealed the details about WFCUpdater.exe, Lazarus Group was operating a fake website called wfcwallet[dot]com. It is believed that a file called Device.exe opens port 6378 but since Device.exe was unable to be captured, that has not been confirmed. The macOS malware for this campaign makes use of a fake website and application called JMTTrading. The macOS version was found to be hosted on GitHub and implements a simple backdoor function in a macOS executable. Similar to the previous version of this campaign though, the malware encrypted/decrypted with a 16-byte XOR key.
The significant changes which have taken place to Operation AppleJeus since its initial inception demonstrate a significant ability on that of Lazarus Group to adapt to a changing security landscape. Many of the victims of this most recent wave of Operation AppleJeus have been tied to Cryptocurrency services. North Korea has had a significant interest in cyber-crimes against financial institutions of all types. Much of this interest stems from the heavy sanctions leveraged against them by both the United States and the United Nations–sanctions which even China has complied with. Monitoring system activity on both networks and endpoints is vital to catching infections like this as early as possible. More information on this can be found at https://securelist.com/operation-applejeus-sequel/95596/