cryptocurrency, dll side-loading, hackers, lazarus group, north korea, microsoft

The North Korean ‘Lazarus’ hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, “BloxHolder,” to install the AppleJeus malware for initial access to networks and steal crypto assets.

According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations.

A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware’s infection chain and abilities.

New BloxHolder campaign

The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.

In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform.

cryptocurrency, dll side-loading, hackers, lazarus group, north korea, microsoft

Legitimate (left) and clone website (right) (Volexity)

This website distributed a 12.7MB Windows MSI installer that pretended to be the BloxHolder app. However, in reality, it was the AppleJeus malware bundled with the QTBitcoinTrader app.

In October 2022, the hacking group evolved their campaign to use Microsoft Office documents instead of the MSI installer to distribute the malware.

The 214KB document was named ‘OKX Binance & Huobi VIP fee comparision.xls’ and contained a macro that creates three files on a target’s computer.

Volexity couldn’t retrieve the final payload from this later infection chain, but they noticed similarities in the DLL sideloading mechanism found in the previously used MSI installer attacks, so they’re confident it’s the same campaign.

Upon installation through the MSI infection chain, AppleJeus will create a scheduled task and drop additional files in the folder “%APPDATA%RoamingBloxholder”.

Next, the malware will collect the MAC address, computer name, and OS version and send it to the C2 via a POST request, likely to identify if it’s running on a virtual machine or sandbox.

One novel element in recent campaigns is chained DLL sideloading to load the malware from within a trusted process, evading AV detection.

“Specifically, “CameraSettingsUIHost.exe” loads the “dui70.dll” file from the “System32” directory, which then causes the loading of the malicious “DUser.dll” file from the application’s directory into the “CameraSettingsUIHost.exe” process,” explains Volexity.

“The “dui70.dll” file is the “Windows DirectUI Engine” and is normally installed as part of the operating system.”

cryptocurrency, dll side-loading, hackers, lazarus group, north korea, microsoft

Chained DLL sideloading (Volexity)

Volexity says the reason Lazarus opted for chained DLL sideloading is unclear but might be to impede malware analysis.

Another new characteristic in recent AppleJeus samples is that all its strings and API calls are now obfuscated using a custom algorithm, making them stealthier against security products.

Although Lazarus’ focus on cryptocurrency assets is well documented, the North Korean hackers remain fixed on their goal to steal digital money, constantly refreshing themes and improving tools to stay as stealthy as possible.

Who is the Lazarus Group

The Lazarus Group (also tracked as ZINC) is a North Korean hacking group that has been active since at least 2009.

The group gained notoriety after hacking Sony Films in Operation Blockbuster and the 2017 global WannaCry ransomware campaign that encrypted businesses worldwide.

Google discovered in January 2021 that Lazarus was creating fake online personas to target security researchers in social engineering attacks that installed backdoors on their devices. A second attack using this tactic was discovered in March 2021.

The U.S. government sanctioned the Lazarus hacking group in September 2019 and now offers a reward of up to $5 million for information that can disrupt their activities.

More recent attacks have turned to the spreading of trojanized cryptocurrency wallets and trading apps that steal people’s private keys and drain their crypto assets.

In April, the U.S. government linked the Lazarus group to a cyberattack on Axie Infinity that allowed them to steal over $617 million worth of Ethereum and USDC tokens.

It was later revealed that the Axie Infinity hack was made possible due to a phishing attack containing a malicious PDF file pretending to be a job offer sent to one of the company’s engineers.

TECH NEWS RELATED

Instagram admits it is showing people way too many videos

Instagram wants photographers to know that it hasn’t abandoned them. As reported by The Verge, Instagram CEO Adam Mosseri was hosting a weekly Q&A with users this week when was pressured about the company’s recent focus on video. Between more videos in the feed to the launching of Reels, ...

View more: Instagram admits it is showing people way too many videos

Siri accidentally sends 15 police officers to Muay Thai trainer’s gym

It’s been a long time since I’ve heard of a Siri mishap like this one. As reported by news.com.au, Jamie Alleyne, a professional Muay Thai fighter and boxing trainer, was training in his gym in Australia earlier this week. Suddenly, fifteen police officers in cop cars, ambulances, and more ...

View more: Siri accidentally sends 15 police officers to Muay Thai trainer’s gym

10 Best Solutions To Fix DNS Errors In Windows

A DNS(Domain Name System) is a directory that converts domain names or hostnames into Internet Protocol (IP) addresses. Users may readily visit websites on the internet using web browsers as a result of this procedure. You cannot browse a website unless you first connect to a DNS errors. During the ...

View more: 10 Best Solutions To Fix DNS Errors In Windows

[7 Fixes] Windows Photos App Slow To Open Issue In Windows

Microsoft Photos is a Microsoft tool that allows you to view your photos on your computer easily. Using this tool, you can view each photo or video without being distracted. Although the Windows Photos app works efficiently sometimes, it starts to take time to open up and makes Windows Photos ...

View more: [7 Fixes] Windows Photos App Slow To Open Issue In Windows

How To Find Your Laptop IP Address

Most internet-related problems can be solved with the knowledge of the IP address. Your Internet Protocol (IP) address can be very helpful when you are trying to narrow down the error source. Network troubleshooting is also made easy with the IP address code. There have been several issues where it ...

View more: How To Find Your Laptop IP Address

8 Fixes: Microsoft Windows Security Not Opening

Your PC will be protected from malware and viruses by Windows Security App, which also comes with Windows Defender Service. It can experience issues, like Windows Security Not Opening, much like other Windows applications. When you try to open Windows Security, it could occasionally display odd errors. The Windows Security ...

View more: 8 Fixes: Microsoft Windows Security Not Opening

9 Best Ways To Retrieve A Downloaded Movie On Your Laptop

Watching movies online can be a hassle; Especially when there is a lot of buffering. This is one of the biggest reasons for people to download their movies and watch them offline. However, I found this specific query in a forum where people were asking to recover a downloaded movie ...

View more: 9 Best Ways To Retrieve A Downloaded Movie On Your Laptop

How To Snip Screen On Your Laptop?

Taking a screenshot is not a complicated process. All of us are familiar with at least one way to do it. However, there are several ways to capture your screen for a frame. We made this article to show you all the different ways you can grab your screens. If ...

View more: How To Snip Screen On Your Laptop?

How To Connect AirPods To A Laptop?

Satechi Thunderbolt 4 Slim Hub review: A sleek and portable laptop hub

Get $8 off flexible stand that mounts your MagSafe iPhone anywhere

7 Best Ways To Fix DistributedCOM Error In Windows

12 Easy Fixes For Webcam Not Working In Windows

Windows 10 Sound Not Working: 18 Quick And Easy Methods

Fix CAA20004 Microsoft Teams Sign in Error

How To Fix This Update Is Not Applicable To Your Computer Error: 11 Quick Fixes

Windows Dual Boot Menu Not Showing: 6 Easy Ways To Fix

12 Best Fixes: Windows 10 Start Menu Search Not Working

Netflix renews Cobra Kai for sixth and final season

How to customize and publish a Microsoft Bookings page?

OTHER TECH NEWS

Top Car News Car News