SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group


According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

References
2022-12-16SekoiaThreat & Detection Research Team
@online{team:20221216:dprk:4abe047, author = {Threat & Detection Research Team}, title = {{The DPRK delicate sound of cyber}}, date = {2022-12-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/}, language = {English}, urldate = {2022-12-29} } The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-08-13YoutTube (Blue Team Village)Seongsu Park
@online{park:20220813:attribution:a689611, author = {Seongsu Park}, title = {{Attribution and Bias: My terrible mistakes in threat intelligence attribution}}, date = {2022-08-13}, organization = {YoutTube (Blue Team Village)}, url = {https://www.youtube.com/watch?v=rjA0Vf75cYk}, language = {English}, urldate = {2022-09-19} } Attribution and Bias: My terrible mistakes in threat intelligence attribution
AppleJeus Olympic Destroyer
2021-07-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210710:analysis:35afafd, author = {AhmedS Kasmani}, title = {{Analysis of AppleJeus Malware by Lazarus Group}}, date = {2021-07-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=1NkzTKkEM2k}, language = {English}, urldate = {2021-07-20} } Analysis of AppleJeus Malware by Lazarus Group
AppleJeus
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-01-01Objective-SeePatrick Wardle
@online{wardle:20210101:mac:a6f5a3b, author = {Patrick Wardle}, title = {{The Mac Malware of 2020 - a comprehensive analysis of the year's new malware}}, date = {2021-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x5F.html}, language = {English}, urldate = {2021-01-11} } The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-02-22Objective-SeePatrick Wardle
@online{wardle:20200222:weaponizing:ea810ff, author = {Patrick Wardle}, title = {{Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads}}, date = {2020-02-22}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x54.html}, language = {English}, urldate = {2020-02-27} } Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-08Kaspersky LabsGReAT
@online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)
2019-10-12Objective-SeePatrick Wardle
@online{wardle:20191012:pass:9a75bd6, author = {Patrick Wardle}, title = {{Pass the AppleJeus}}, date = {2019-10-12}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x49.html}, language = {English}, urldate = {2020-01-13} } Pass the AppleJeus
AppleJeus
2019-04-24SpecterOpsRichie Cyrus
@online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] osx_applejeus_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule osx_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9d90f1ffff 0f294370 0f294360 0f294350 0f294340 }
            // n = 5, score = 100
            //   8d9d90f1ffff         | lea                 ebx, [ebp - 0xe70]
            //   0f294370             | movaps              xmmword ptr [ebx + 0x70], xmm0
            //   0f294360             | movaps              xmmword ptr [ebx + 0x60], xmm0
            //   0f294350             | movaps              xmmword ptr [ebx + 0x50], xmm0
            //   0f294340             | movaps              xmmword ptr [ebx + 0x40], xmm0

        $sequence_1 = { e8???????? 49 89c7 bf00000300 e8???????? 49 89c6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c7                 | mov                 edi, eax
            //   bf00000300           | mov                 edi, 0x30000
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c6                 | mov                 esi, eax

        $sequence_2 = { 0f294310 0f2903 48 8d3586120000 48 }
            // n = 5, score = 100
            //   0f294310             | movaps              xmmword ptr [ebx + 0x10], xmm0
            //   0f2903               | movaps              xmmword ptr [ebx], xmm0
            //   48                   | dec                 eax
            //   8d3586120000         | lea                 esi, [0x1286]
            //   48                   | dec                 eax

        $sequence_3 = { 0f294730 41 0f294720 41 }
            // n = 4, score = 100
            //   0f294730             | movaps              xmmword ptr [edi + 0x30], xmm0
            //   41                   | inc                 ecx
            //   0f294720             | movaps              xmmword ptr [edi + 0x20], xmm0
            //   41                   | inc                 ecx

        $sequence_4 = { 89f7 e8???????? 48 8d35cb140000 48 8d9590f3ffff }
            // n = 6, score = 100
            //   89f7                 | mov                 edi, esi
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8d35cb140000         | lea                 esi, [0x14cb]
            //   48                   | dec                 eax
            //   8d9590f3ffff         | lea                 edx, [ebp - 0xc70]

        $sequence_5 = { 03bdc0fbfcff 41 81fe00000300 0f8380000000 49 }
            // n = 5, score = 100
            //   03bdc0fbfcff         | add                 edi, dword ptr [ebp - 0x30440]
            //   41                   | inc                 ecx
            //   81fe00000300         | cmp                 esi, 0x30000
            //   0f8380000000         | jae                 0x86
            //   49                   | dec                 ecx

        $sequence_6 = { 89e7 ff15???????? 48 8bbd48f1ffff 48 }
            // n = 5, score = 100
            //   89e7                 | mov                 edi, esp
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   8bbd48f1ffff         | mov                 edi, dword ptr [ebp - 0xeb8]
            //   48                   | dec                 eax

        $sequence_7 = { 89f7 e8???????? 48 89c6 31c0 }
            // n = 5, score = 100
            //   89f7                 | mov                 edi, esi
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   89c6                 | mov                 esi, eax
            //   31c0                 | xor                 eax, eax

        $sequence_8 = { 4c 89e7 48 8d35c6090000 e8???????? 84c0 }
            // n = 6, score = 100
            //   4c                   | dec                 esp
            //   89e7                 | mov                 edi, esp
            //   48                   | dec                 eax
            //   8d35c6090000         | lea                 esi, [0x9c6]
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_9 = { 83c706 e8???????? 89c3 4c 8dbdccfbffff }
            // n = 5, score = 100
            //   83c706               | add                 edi, 6
            //   e8????????           |                     
            //   89c3                 | mov                 ebx, eax
            //   4c                   | dec                 esp
            //   8dbdccfbffff         | lea                 edi, [ebp - 0x434]

    condition:
        7 of them and filesize < 78336
}
Download all Yara Rules