Lazarus hacking group spreads malware using a fake cryptocurrency app called BloxHolder. This made-up brand pretends to offer cryptocurrency applications, tricking users to install AppleJeus malware.
AppleJeus malware, identified in 2018, enables the threat actors to have initial access to a network and steal crypto assets. The malware shows new evolution in the infection chain and abilities in this current campaign.
The new campaign
The campaign started when Lazarus Group registered the domain bloxholder[.]com. The website Lazarus Group built there is a clone of the legitimate website HaasOnline. HaasOnline is a Dutch company that developed HaasScript which is a crypto scripting language that allows users to create complex automated trading algorithms.
The cloned website distributed a Windows MSI installer that pretended to be an installer for the BloxHolder app.
Volexity experts were not able to retrieve the final payload employed since October, but they noticed similarities in the DLL sideloading mechanism which is similar to the one used in the attacks relying on MSI installer.
Upon installation through the MSI infection chain, AppleJeus will create a scheduled task and drop additional files in the folder “%APPDATA%\Roaming\Bloxholder\”.