Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.
Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.
To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.
The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.
Trojanized cryptocurrency trading application
Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.
Trojanized trading application for Windows
Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.
A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.
When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.
We have analyzed the following Windows version of the installation package:
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC
At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.
The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.
Properties of the shady updater tool included in the package are:
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%CelasTradeProUpdater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:jeusdownloaderdownloader_exe_vs2010Releasedloader.pdb
The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLMSOFTWAREMicrosoftWindows NTCurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.
- ProductName: Windows OS version
- CurrentBuildNumber: Windows 10 build version
- ReleaseID: Windows 10 version information
- UBR: Sub version of Windows 10 build
- BuildBranch: Windows 10 build branch information
The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.
The code sends the victim’s information to a webserver using HTTP and the following URL:
The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.
The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.
Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.
After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.
During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.
|Additional trojanized sample #1||Additional trojanized sample #1|
|Installation package MD5||4126e1f34cf282c354e17587bb6e8da3||0bdb652bbe15942e866083f29fb6dd62|
|Package creation date||2018-08-03 09:57:29||2018-08-13 0:12:10|
|Dropped updater MD5||ffae703a1e327380d85880b9037a0aeb||bbbcf6da5a4c352e8846bf91c3358d5c|
|Updater creation date||2018-08-03 09:50:08||2018-08-11 7:28:08|
|Updater Build path||H:DEVTManagerDLoader20180702dloaderWorkingDirOutput|