North Korean Hacking Group Upgrades ‘Apple Jeus’ Cyber-Theft macOS Malware

A hacking group believed to be from North Korea is reportedly stepping up its game to continue its cryptocurrency stealing campaigns.

Dubbed Operation AppleJeus, the cyber-theft campaign has been in operation since at least 2018 and has been linked to the Lazarus Group, a state-sponsored hacking operation working on behalf of Pyongyang.

According to a new report from The Register, new findings from Kaspersky’s Global Research and Analysis Team (GReAT) show that their operations continue with more careful steps from the infamous threat actor, improved tactics and procedures and the use of Telegram as one of its new attack vectors. Victims in the UK, Poland, Russia, and China, in addition to several business entities connected to cryptocurrency, were affected during the operation.

The security researchers explain that following Operation AppleJeus, Lazarus continued to employ a similar modus operandi in attacks on cryptocurrency businesses and that more macOS malware similar to that from the original Operation AppleJeus case was discovered.

The hackers leveraged public source code to build their macOS installers, with three of them using a similar post installer script and the same command-line argument when executing the second-stage. An installer first created in early December 2019, however, appears to mark a new evolutionary stage in the development of Lazarus macOS malware.

One victim, Kaspersky’s security researchers discovered, was compromised with Windows AppleJeus malware in March 2019 as part of a multi-stage infection process that used different methods than before. After reconnaissance, the operator implanted a payload manually, and additional tools were delivered to establish remote tunnelling.

“Since the initial appearance of Operation AppleJeus, we can see that over time the authors have changed their modus operandi considerably,” Kaspersky researchers wrote in a report detailing the attacks. “We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.”

“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon,” the researchers concluded.