AppleJeus (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

osx.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

VTCollection

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

References

2022-12-16 ⋅ Sekoia ⋅ Jamila B., Threat & Detection Research Team
The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto

2022-08-15 ⋅ Brandefense ⋅ Brandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor

2022-08-13 ⋅ YoutTube (Blue Team Village) ⋅ Seongsu Park
Attribution and Bias: My terrible mistakes in threat intelligence attribution
AppleJeus Olympic Destroyer

2021-10-08 ⋅ Virus Bulletin ⋅ Seongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient

2021-07-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Analysis of AppleJeus Malware by Lazarus Group
AppleJeus

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-02-18 ⋅ Symantec ⋅ Threat Hunter Team
Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus POOLRAT AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ US-CERT
Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus Lazarus Group

2021-01-01 ⋅ Objective-See ⋅ Patrick Wardle
The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-27 ⋅ SentinelOne ⋅ Phil Stokes
Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat

2020-02-22 ⋅ Objective-See ⋅ Patrick Wardle
Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-08 ⋅ Kaspersky Labs ⋅ GReAT
Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)

2019-10-12 ⋅ Objective-See ⋅ Patrick Wardle
Pass the AppleJeus
AppleJeus

2019-04-24 ⋅ SpecterOps ⋅ Richie Cyrus
Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail

2018-08-23 ⋅ Kaspersky Labs ⋅ GReAT
Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group

Yara Rules

[TLP:WHITE] osx_applejeus_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule osx_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9d90f1ffff 0f294370 0f294360 0f294350 0f294340 }
            // n = 5, score = 100
            //   8d9d90f1ffff         | lea                 ebx, [ebp - 0xe70]
            //   0f294370             | movaps              xmmword ptr [ebx + 0x70], xmm0
            //   0f294360             | movaps              xmmword ptr [ebx + 0x60], xmm0
            //   0f294350             | movaps              xmmword ptr [ebx + 0x50], xmm0
            //   0f294340             | movaps              xmmword ptr [ebx + 0x40], xmm0

        $sequence_1 = { e8???????? 49 89c7 bf00000300 e8???????? 49 89c6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c7                 | mov                 edi, eax
            //   bf00000300           | mov                 edi, 0x30000
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c6                 | mov                 esi, eax

        $sequence_2 = { 0f294310 0f2903 48 8d3586120000 48 }
            // n = 5, score = 100
            //   0f294310             | movaps              xmmword ptr [ebx + 0x10], xmm0
            //   0f2903               | movaps              xmmword ptr [ebx], xmm0
            //   48                   | dec                 eax
            //   8d3586120000         | lea                 esi, [0x1286]
            //   48                   | dec                 eax

        $sequence_3 = { 0f294730 41 0f294720 41 }
            // n = 4, score = 100
            //   0f294730             | movaps              xmmword ptr [edi + 0x30], xmm0
            //   41                   | inc                 ecx
            //   0f294720             | movaps              xmmword ptr [edi + 0x20], xmm0
            //   41                   | inc                 ecx

        $sequence_4 = { 89f7 e8???????? 48 8d35cb140000 48 8d9590f3ffff }
            // n = 6, score = 100
            //   89f7                 | mov                 edi, esi
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8d35cb140000         | lea                 esi, [0x14cb]
            //   48                   | dec                 eax
            //   8d9590f3ffff         | lea                 edx, [ebp - 0xc70]

        $sequence_5 = { 03bdc0fbfcff 41 81fe00000300 0f8380000000 49 }
            // n = 5, score = 100
            //   03bdc0fbfcff         | add                 edi, dword ptr [ebp - 0x30440]
            //   41                   | inc                 ecx
            //   81fe00000300         | cmp                 esi, 0x30000
            //   0f8380000000         | jae                 0x86
            //   49                   | dec                 ecx

        $sequence_6 = { 89e7 ff15???????? 48 8bbd48f1ffff 48 }
            // n = 5, score = 100
            //   89e7                 | mov                 edi, esp
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   8bbd48f1ffff         | mov                 edi, dword ptr [ebp - 0xeb8]
            //   48                   | dec                 eax

        $sequence_7 = { 89f7 e8???????? 48 89c6 31c0 }
            // n = 5, score = 100
            //   89f7                 | mov                 edi, esi
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   89c6                 | mov                 esi, eax
            //   31c0                 | xor                 eax, eax

        $sequence_8 = { 4c 89e7 48 8d35c6090000 e8???????? 84c0 }
            // n = 6, score = 100
            //   4c                   | dec                 esp
            //   89e7                 | mov                 edi, esp
            //   48                   | dec                 eax
            //   8d35c6090000         | lea                 esi, [0x9c6]
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_9 = { 83c706 e8???????? 89c3 4c 8dbdccfbffff }
            // n = 5, score = 100
            //   83c706               | add                 edi, 6
            //   e8????????           |                     
            //   89c3                 | mov                 ebx, eax
            //   4c                   | dec                 esp
            //   8dbdccfbffff         | lea                 edi, [ebp - 0x434]

    condition:
        7 of them and filesize < 78336
}

Download all Yara Rules

AppleJeus Propose Change

References

Yara Rules

AppleJeus