“We have observed how the Lazarus group has constantly evolved— from waging cyber espionage campaigns worldwide to financial attacks against major banks. Last year, we warned that they are not after your data anymore. And indeed, they aren’t. These state-backed attackers are now ramping up the sophistication of their attacks and widening their reach to steal more money and trick the cybersecurity industry,” warns Seongsu Park, Senior Security Researcher in the Global Research and Threat Analysis Team (GReAT), Kaspersky Lab Asia Pacific.
Kaspersky Lab researchers have analyzed the forensic details of the new malicious operations of the APT group, which at first glance looked like a supply chain attack. Dubbed AppleJeus, the attack compromised users through the Trojanized trading application, Celas Trade Pro, developed by a legitimate company named Celas Limited.
Being Trojanized means infected by a Trojan, a type of malware often disguised as legitimate software. Once activated, Trojans enable cybercriminals to spy on users, steal sensitive data, and gain backdoor access to systems.
Researchers found evidence that the heist against South Korea’s Cryptocurrency Exchange CoinIS, which lost almost $2 million USD, was a malicious operation by Lazarus group. Kaspersky Lab’s researcher believes that this cybergang targeted the online wallet of CoinIS’s HTA (Home Trading Application) program user via this supply chain attack. After this, these infamous hackers had to step up their game by using a more sophisticated strategy—faking supply chain attacks to steal cryptocurrency.
Researchers looked into the developer of the Trojanized trading application and found out that while the Celas LLC company possesses valid SSL certificate for signing its software and legitimate-looking registration records for the domain, the address registered in the certificate’s information leads to false locations, at least based on the publicly available information retrieved during the investigation.
The high-profile APT group has also developed a reconnaissance-module malware with almost the same capabilities when deployed into Windows software or a MacOS. This type of malware evaluates first if a device is worth attacking, before infecting it with a Trojan known as Fallchill in the form of a software update. This old but reliable Trojan is another known tool associated with Lazarus.
“With major attacks up its sleeves — such as the Bangladesh Bank heist and the WannaCry ransomware, to name a few, the Lazarus group is like a constant presence in the world of cybersecurity and it is getting quite adept at hiding and spreading its evil schemes. The extensive effort it exerts to create malware for the supposedly safer MacOS environment, and the intricate details needed to create a legitimate-looking application and software company, prove it is far from stopping. There are more attacks to come, and we had better be ready because it won’t get any easier,” warns Park.
To boost the defenses of consumer devices and company networks from attacks like AppleJeus, Kaspersky Lab suggests being more prudent when choosing third-party vendors. The global cybersecurity company also calls for more caution when trusting legitimate-looking software applications, certificates, and developers.
A highly sophisticated solution that enables businesses to detect targeted attacks and other malicious actions through the careful monitoring of network activity, web, and email, like the Kaspersky Anti Targeted Attack Platform, can also provide an added layer of protection against sophisticated financial threats.