SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-02-22Objective-SeePatrick Wardle
@online{wardle:20200222:weaponizing:ea810ff, author = {Patrick Wardle}, title = {{Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads}}, date = {2020-02-22}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x54.html}, language = {English}, urldate = {2020-02-27} } Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-08Kaspersky LabsGReAT
@online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)
2019-10-12Objective-SeePatrick Wardle
@online{wardle:20191012:pass:9a75bd6, author = {Patrick Wardle}, title = {{Pass the AppleJeus}}, date = {2019-10-12}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x49.html}, language = {English}, urldate = {2020-01-13} } Pass the AppleJeus
AppleJeus
2019-04-24SpecterOpsRichie Cyrus
@online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] osx_applejeus_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule osx_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49 8d442403 48 8985b8fbffff 4c 8d3d07130000 eb4b }
            // n = 7, score = 100
            //   49                   | dec                 ecx
            //   8d442403             | lea                 eax, [esp + 3]
            //   48                   | dec                 eax
            //   8985b8fbffff         | mov                 dword ptr [ebp - 0x448], eax
            //   4c                   | dec                 esp
            //   8d3d07130000         | lea                 edi, [0x1307]
            //   eb4b                 | jmp                 0x4d

        $sequence_1 = { e8???????? 85c0 0f8596010000 8b9dccfbffff 48 85db }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8596010000         | jne                 0x19c
            //   8b9dccfbffff         | mov                 ebx, dword ptr [ebp - 0x434]
            //   48                   | dec                 eax
            //   85db                 | test                ebx, ebx

        $sequence_2 = { 8d8510f3ffff 31c0 4c 89f7 }
            // n = 4, score = 100
            //   8d8510f3ffff         | lea                 eax, [ebp - 0xcf0]
            //   31c0                 | xor                 eax, eax
            //   4c                   | dec                 esp
            //   89f7                 | mov                 edi, esi

        $sequence_3 = { e8???????? e8???????? 85c0 75ed bfa0860100 e8???????? e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75ed                 | jne                 0xffffffef
            //   bfa0860100           | mov                 edi, 0x186a0
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 48 8b09 48 3b4dd0 0f8589000000 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   48                   | dec                 eax
            //   3b4dd0               | cmp                 ecx, dword ptr [ebp - 0x30]
            //   0f8589000000         | jne                 0x8f

        $sequence_5 = { b902000000 39c8 741c 83f801 }
            // n = 4, score = 100
            //   b902000000           | mov                 ecx, 2
            //   39c8                 | cmp                 eax, ecx
            //   741c                 | je                  0x1e
            //   83f801               | cmp                 eax, 1

        $sequence_6 = { 3b4dd0 0f8589000000 48 81c4???????? 5b 41 }
            // n = 6, score = 100
            //   3b4dd0               | cmp                 ecx, dword ptr [ebp - 0x30]
            //   0f8589000000         | jne                 0x8f
            //   48                   | dec                 eax
            //   81c4????????         |                     
            //   5b                   | pop                 ebx
            //   41                   | inc                 ecx

        $sequence_7 = { 48 89df e8???????? 48 8b3d???????? b901000000 4c }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   89df                 | mov                 edi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b3d????????         |                     
            //   b901000000           | mov                 ecx, 1
            //   4c                   | dec                 esp

        $sequence_8 = { 4c 89ef ff15???????? 0f57c0 48 8d9d90f1ffff 0f294370 }
            // n = 7, score = 100
            //   4c                   | dec                 esp
            //   89ef                 | mov                 edi, ebp
            //   ff15????????         |                     
            //   0f57c0               | xorps               xmm0, xmm0
            //   48                   | dec                 eax
            //   8d9d90f1ffff         | lea                 ebx, [ebp - 0xe70]
            //   0f294370             | movaps              xmmword ptr [ebx + 0x70], xmm0

        $sequence_9 = { 8d3520140000 48 8d9590f3ffff 31c0 }
            // n = 4, score = 100
            //   8d3520140000         | lea                 esi, [0x1420]
            //   48                   | dec                 eax
            //   8d9590f3ffff         | lea                 edx, [ebp - 0xc70]
            //   31c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 78336
}
Download all Yara Rules