1. Home
  2. Software
  3. AppleJeus

AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]

ID: S0584
Type: MALWARE
Platforms: Windows, macOS
Version: 1.1
Created: 01 March 2021
Last Modified: 28 September 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .016 事件触发执行: Installer Packages

During AppleJeus's installation process, it uses postinstall scripts to extract a hidden plist from the application's /Resources folder and execute the plist file as a Launch Daemon with elevated permissions.[2]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

AppleJeus can install itself as a service.[1]

.004 创建或修改系统进程: Launch Daemon

AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.[1][2]
Enterprise T1140 反混淆/解码文件或信息

AppleJeus has decoded files received from a C2.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

AppleJeus has sent data to its C2 server via POST requests.[1][2]
Enterprise T1027 混淆文件或信息

AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.[1]
Enterprise T1204 .001 用户执行: Malicious Link

AppleJeus's spearphishing links required user interaction to navigate to the malicious website.[1]
.002 用户执行: Malicious File

AppleJeus has required user execution of a malicious MSI installer.[1]
Enterprise T1070 .004 移除指标: File Deletion

AppleJeus has deleted the MSI file after installation.[1]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

AppleJeus has been installed via MSI installer.[1]
Enterprise T1082 系统信息发现

AppleJeus has collected the victim host information after infection.[1]
Enterprise T1569 .001 系统服务: Launchctl

AppleJeus has loaded a plist file using the launchctl command.[1]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

AppleJeus has waited a specified time before downloading a second stage payload.[1]
Enterprise T1041 通过C2信道渗出

AppleJeus has exfiltrated collected host information to a C2 server.[1]
Enterprise T1566 .002 钓鱼: Spearphishing Link

AppleJeus has been distributed via spearphishing link.[1]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

AppleJeus has used a valid digital signature from Sectigo to appear legitimate.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  1. Patrick Wardle. (2019, October 12). Pass the AppleJeus. Retrieved September 28, 2022.