December 5, 2022

Hackers backed by North Korea’s government attempted to infect the computers of hundreds of people working in a variety of industries, including news media, IT, cryptocurrency, and financial services, Google said. It added that it is being used to install the AppleJeus malware for initial access to networks and steal crypto assets.

The vulnerability, identified as CVE-2022-0609, was exploited by two distinct North Korean hacking groups. Both groups used the same exploit kit on websites that were either legitimate organizations that had been hacked or were set up specifically to serve attack code to unsuspecting visitors. One group was called Operation Dream Job, and it targeted over 250 people from ten different companies. AppleJeus, the other group, targeted 85 users.

The website was used by the attackers to distribute a Windows MSI installer disguised as the BloxHolder app, which was used to install AppleJeus malware alongside the QTBitcoin Trader app.

The BloxHolder application was discovered to be installed alongside the open-source cryptocurrency trading application QTBitcoin Trader, which is available on GitHub.

The MSI file is used to simultaneously install malicious and legitimate applications. The researchers observed the Lazarus Group installing AppleJeus in October 2022 using a weaponized Microsoft Office document named ‘OKX Binance & Huobi VIP fee comparision.xls’ rather than an MSI installer.

AppleJeus will create a scheduled task and drop additional files in the folder “%APPDATA%RoamingBloxholder” after installation via the MSI infection chain. The malware will then collect the MAC address, computer name, and OS version and send it to the C2 via a POST request, most likely to determine whether it is running on a virtual machine or sandbox.

The sources for this piece include an article in BleepingComputer.