The North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.

Targeted Nations

HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).

Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020

AppleJeus Versions Note

The version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns.

AppleJeus Version 1: Celas Trade Pro

Introduction and Infrastructure

In August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim’s computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (Develop Capabilities: Malware [T1587.001]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[4]

Further research revealed that a phishing email from a Celas LLC company (Phishing: Spearphishing Link [T1566.002]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas’ website, (Acquire Infrastructure: Domain [T1583.001]), where the victim could download a Windows or macOS version of the trojanized application.

The domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021.

The domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Celas Trade Pro Application Analysis

Windows Program

The Windows version of the malicious Celas Trade Pro application is an MSI Installer (). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]).

Once permission is granted, the threat actor is able to run the program with elevated privileges (Abuse Elevation Control Mechanism [T1548]) and MSI executes the following actions.

  • Installs in folder
  • Installs in folder
  • Runs with the parameters

The program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform-very similar to the benign Q.T. Bitcoin Trader-that exhibits no signs of malicious activity.

The program has the same program icon as . When run, it checks for the parameter, collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). It has very similar functionality to the Windows version. The installer executes the following actions.

  • Installs in folder
  • Installs in folder
  • Executes a script

    • Moves to folder
    • Runs with the parameter

asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform-very similar to the benign Q.T. Bitcoin Trader-that exhibits no signs of malicious activity.

checks for the parameter and, when found, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). This process helps the adversary obtain persistence on a victim’s network.

The script is a sequence of instructions that runs after successfully installing an application (Command and Scripting Interpreter: AppleScript [T1059.002]). This script moves property list () file from the installer package to the folder (Scheduled Task/Job: Launchd [T1053.004]). The leading ‘.’ makes it unlisted in the Finder app or default Terminal directory listing (Hide Artifacts: Hidden Files and Directories [T1564.001]). Once in the folder, this property list () file will launch the program with the parameter on system load as Root for every user. Because the will not run automatically after the file is moved, the script launches the program with the parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

After a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (Obfuscated Files or Information [T1027]), which eventually drops FALLCHILL onto the machine and installs it as a service (Create or Modify System Process: Windows Service [T1543.003]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (Encrypted Channel: Symmetric Cryptography [T1573.001]). The key employed in these versions has also been used in a previous version of FALLCHILL.[5][6]

For more details on AppleJeus Version 1: Celas Trade Pro, see MAR-10322463-1.v1.

AppleJeus Version 2: JMT Trading

Introduction and Infrastructure

In October 2019, a cybersecurity company identified a new version of the AppleJeus malware-JMT Trading-thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, (Acquire Infrastructure: Domain [T1583.001]). This website contained a ‘Download from GitHub’ button, which linked to JMT Trading’s GitHub page (Acquire Infrastructure: Web Services [T1583.006]), where Windows and macOS X versions of the JMT Trader application were available for download (Develop Capabilities: Malware [T1587.001]). The GitHub page also included .zip and tar.gz files containing the source code.

The domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021.

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. The current SSL certificate was issued by Let’s Encrypt.

JMT Trading Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]).

Once permission is granted, the MSI executes the following actions.

  • Installs in folder
  • Installs in folder
  • Runs with the parameter

The program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform-very similar to and the benign Q.T. Bitcoin Trader-that exhibits no signs of malicious activity.

The program is heavily obfuscated with the ADVObfuscation library, renamed ‘snowman’ (Obfuscated Files or Information [T1027]). When run, it checks for the parameter and collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The program also creates a scheduled SYSTEM task, named , which runs with the parameter at any user’s login (Scheduled Task/Job: Scheduled Task [T1053.005]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder

    • Note: the leading ‘.’ makes it unlisted in the Finder app or default Terminal directory listing.
  • Executes a script

    • Moves to folder
    • Changes the file permissions on the
    • Runs with the parameter
    • Moves to folder
    • Makes executable

The program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform-very similar to and the benign Q.T. Bitcoin Trader-that exhibits no signs of malicious activity.

The program checks for the parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program’s functionality in detail. When it finds the parameter, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]).

The script has similar functionality to the one used by , but it has a few additional features (Command and Scripting Interpreter: AppleScript [T1059.002]). It moves the property list () file t from the Installer package to the folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the file. Once in the folder, this property list () file will launch the program with the parameter on system load as Root for every user. Also, the script moves the program to a new location and makes it executable. Because the will not run automatically after the file is moved, the script launches with the parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

Soon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 website went offline. There is not a confirmed sample of the payload to analyze at this point.

For more details on AppleJeus Version 2: JMT Trading, see MAR-10322463-2.v1.

AppleJeus Version 3: Union Crypto

Introduction and Infrastructure

In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, (Acquire Infrastructure: Domain [T1583.001]). Although this website is no longer available, a cybersecurity researcher discovered a download link, , recorded on VirusTotal for the macOS X version of . In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a ‘Telegram Downloads’ folder on an unnamed victim.[7]

The domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Union Crypto Trader Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is a Windows executable () (User Execution: Malicious File [T1204.002]), which acts as an installer that extracts a temporary MSI Installer.

The Windows program executes the following actions.

  • Extracts to folder
  • Runs

    • Installs in folder
    • Installs
  • Deletes
  • Runs

The program loads a legitimate-looking cryptocurrency arbitrage application-defined as ‘the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset’-which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[8]

The program first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it ‘Automatically installs updates for Union Crypto Trader.’ When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder

    • Note: the leading ‘.’ makes it unlisted in the Finder app or default Terminal directory listing
  • Executes a script

    • Moves to folder
    • Changes the file permissions on the to Root
    • Runs
    • Moves to folder
    • Makes executable

The program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.

The program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

The script has similar functionality to the one used by JMT Trading (Command and Scripting Interpreter: AppleScript [T1059.002]). It moves the property list () file from the Installer package to the folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the file to Root. Once in the folder, this property list () file will launch the on system load as Root for every user. The script moves the program to a new location and makes it executable. Because the will not run automatically after the file is moved, the script launches and runs it in the background (Create or Modify SystemProcess: Launch Daemon [T1543.004]).

Payload

The payload for the Windows malware is a Windows Dynamic-Link-Library. does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware.

The macOS X malware’s payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above.

For more details on AppleJeus Version 3: Union Crypto, see MAR-10322463-3.v1.

Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto

Hardcoded Values

In each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1).

Table 1: AppleJeus hardcoded values and uses

AppleJeus Version Value Use
1: Celas Trade Pro Moz&Wie;#t/6T!2y XOR encryption to send data
1: Celas Trade Pro [email protected]%Df324V$Yd RC4 decryption
2: JMT Trader Windows X,%`PMk–Jj8s+6=15:20:11 XOR encryption to send data
2: JMT Trader OSX X,%`PMk–Jj8s+6=\x02 XOR encryption to send data
3: Union Crypto Trader 12GWAPCT1F0I1S14 Combined with time for signature

The Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the .

As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.

Open-Source Cryptocurrency Applications

All three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application.

Postinstall Scripts, Property List Files, and LaunchDaemons

The macOS X samples of all three AppleJeus versions contain scripts with similar logic. The Celas LLC script only moves the file to a new location and launches with the parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both scripts are to change the file permissions on the , make a new directory in the folder, move or to the newly created folder, and make them executable.

The files for all three AppleJeus files have identical functionality. They only differ in the files’ names and one default comment that was not removed from the Celas LLC . As the logic and functionality of the postinstall scripts and plist files are almost identical, the created also function the same.

They will all launch the secondary executable as Root on system load for every user.

AppleJeus Version 4: Kupay Wallet

Introduction and Infrastructure

On March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website (Acquire Infrastructure: Domain [T1583.001]).

The domain resolved to IP address from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY.

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Kupay Wallet Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions.

  • Installs in folder
  • Installs in folder
  • Runs

The program loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay.

The program first installs itself as a service (Create or Modify System Process:Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or LogonAutostart Execution [T1547]). The service is installed with a description stating it is an ‘Automatic Kupay Upgrade.’ When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder
  • Executes a script

    • Creates folder in folder
    • Moves to the new folder
    • Moves to folder
    • Runs the command to load the without a restart
    • Runs in the background

is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows program.

The program calls its function (which contains most of the logic functionality of the malware) and sends a to the C2 server with a connection named ‘Kupay Wallet 9.0.1 (Check Update Osx)’ (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder with permissions set by the command (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, , returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: AppleScript [T1059.002]). It creates the folder in Support folder and then moves to the new folder. It moves the property list () file from the Installer package to the folder (Scheduled Task/Job: Launchd [T1053.004]). The script runs the command to load the without a restart (Command and Scripting Interpreter [T1059]). But, since the LaunchDaemon will not run automatically after the file is moved, the script launches and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

The Windows malware’s payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc.

For more details on AppleJeus Version 4: Kupay Wallet, see MAR-10322463-4.v1.

AppleJeus Version 5: CoinGoTrade

Introduction and Infrastructure

In early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website (Acquire Infrastructure: Domain [T1583.001]).

The domain resolved to IP address from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for and .

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

CoinGoTrade Application Analysis

Windows Program

The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions.

  • Installs in folder
  • Installs in folder
  • Runs

loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.

first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it is an ‘Automatic CoinGoTrade Upgrade.’ When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder
  • Executes a script

    • Creates folder in folder
    • Moves to the new folder
    • Moves to folder
    • Runs in the background

The program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program).

The program calls its function (which contains most of the logic functionality of the malware) and sends a to the C2 server with a connection named ‘CoinGoTrade 1.0 (Check Update Osx)’ (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder with permissions set by the command (only the user can read, write, and execute) (Command andScripting Interpreter [T1059]). Stage 2 is then launched, and the malware, , returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The script has similar functionality to the other scripts (Command and Scripting Interpreter: AppleScript [T1059.002]) and installs and in folder . It moves the property list (plist) file to the folder (Scheduled Task/Job: Launchd [T1053.004]). Because the will not run automatically after the file is moved, the script launches and runs it in the background (Create or ModifySystem Process: Launch Daemon [T1543.004]).

Payload

The Windows malware’s payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X . These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload.

The file is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as functionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST multipart-form data boundary string. Like other HIDDEN COBRA malware, uses format strings to store data collected about the system and sends it to the C2s.

For more details on AppleJeus Version 5: CoinGoTrade, see MAR-10322463-5.v1.

AppleJeus Version 6: Dorusio

Introduction and Infrastructure

In March 2020, an additional version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called Dorusio on their website, (Acquire Infrastructure: Domain [T1583.001]). Researchers collected samples for Windows and macOS X versions of the Dorusio Wallet (Develop Capabilities: Malware [T1587.001]). As of at least early 2020, the actual download links result in errors. The download page has release notes with version revisions claiming to start with version 1.0.0, released on April 15, 2019.

The domain resolved to IP address from March 30, 2020 to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for and

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Dorusio Application Analysis

Windows Program

The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs.

  • Installs in folder
  • Installs in folder
  • Runs

The program, , loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.

The program first installs itself as a service (Create or Modify System Process:Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it ‘Automatic Dorusio Upgrade.’ When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder
  • Executes a script

    • Creates folder in folder
    • Moves to the new folder
    • Moves to folder
    • Runs in the background

The program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the wallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source cryptocurrency wallet Copay distributed by Atlanta-based company BitPay.

The program calls its function (which contains most of the logic functionality of the malware) and sends a to the C2 server with a connection named ‘Dorusio Wallet 2.1.0 (Check Update Osx)‘ (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder with permissions set by the command (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, , returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: AppleScript [T1059.002]). It creates the folder in folder and then moves to the new folder. It moves the property list () file from the Installer package to the folder (Scheduled Task/Job: Launchd [T1053.004]). Because the will not run automatically after the file is moved, the script launches and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

Neither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer accessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto.

For more details on AppleJeus Version 6: Dorusio, see MAR-10322463-6.v1.

AppleJeus 4, 5, and 6 Installation Conflictions

If a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they will encounter installation conflicts.

If Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio:

  • Pop-up windows appear, stating a more recent version of the program is already installed.

If CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet:

  • will be installed in the .
  • All files will be deleted.
  • The folders and files contained in the will remain installed.
  • is installed in the new folder .

If Dorusio is already installed on a system and the user attempts to install Kupay Wallet:

  • will be installed in the .
  • All files will be deleted.
  • The folders and files contained in will remain installed.
  • is installed in the new folder .

AppleJeus Version 7: Ants2Whale

Introduction and Infrastructure

In late 2020, a new version of AppleJeus was identified called ‘Ants2Whale.’ The site for this version of AppleJeus is (Acquire Infrastructure: Domain [T1583.001]). The website shows a legitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar mistakes indicating the creator may not have English as a first language. The website states that to download Ants2Whale, a user must contact the administrator, as their product is a ‘premium package’ (Develop Capabilities: Malware [T1587.001]).

The domain resolved to IP address from September 23, 2020, to January 22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for and .

The domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was ‘Domain Control Validated,’ a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Ants2Whale Application Analysis

Windows Program

As of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X version detailed below.

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

  • Installs in folder
  • Installs in folder
  • Executes a script

    • Moves to folder
    • Runs in the background

The and programs and the script function almost identically to previous versions of AppleJeus and will not be discussed in depth in this advisory.

For more details on AppleJeus Version 7: Ants2Whale, see MAR-10322463-7.v1.

ATT&CK Profile

Figure 2 and table 2 provide summaries of the MITRE ATT&CK techniques observed.

Figure 2: MITRE ATT&CK enterprise techniques used by AppleJeus

Table 2: MITRE ATT&CK techniques observed

Source