The North Korean ‘Lazarus’ hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, “BloxHolder,” to install the AppleJeus malware for initial access to networks and steal crypto assets. According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations. A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware’s infection chain and abilities. The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022. In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform. This website distributed a 12.7MB Windows MSI installer that pretended to be the BloxHolder app. However, in reality, it was the AppleJeus malware bundled with the QTBitcoinTrader app. In October 2022, the hacking group evolved their campaign to use Microsoft Office documents instead of the MSI installer to distribute the malware. The 214KB document was named ‘OKX Binance & Huobi VIP fee comparision.xls’ and contained a macro that creates three files on a target’s computer. Volexity couldn’t retrieve the final payload from this later infection chain, but they noticed similarities in the DLL sideloading mechanism found in the previously used MSI installer attacks, so they’re confident it’s the same campaign.
Full story : Hackers use new, fake crypto app to breach networks, steal cryptocurrency.