Campaigns
Operation AppleJeus: North Korea’s Cryptocurrency Malware

Operation AppleJeus: North Korea’s Cryptocurrency Malware

cryptocurrencyLazarusNorth Korea
After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses.

Indicators of Compromise

celasllc.com
wfcwallet.com
cyptian.com
index.do
aeroplans.info
www.private-kurier.com
www.jmttrading.org
beastgoc.com
unioncrypto.vip
www.buckfast-zucht.de
invesuccess.com
www.wb-invest.net
www.wb-bot.org
mydealoman.com
www.chainfun365.com
a8332f3a.bitcoin-dns.hosting
1a7ea920.bitcoin-dns.hosting
www.celasllc.com
www.domains4bitcoins.com
libertyvps.net
black.host
njal.la
cellasllc.com
c358ea2d.bitcoin-dns.hosting
ad636824.bitcoin-dns.hosting

APT Groups1

Lazarus GroupKorea, Democratic People's Republic of
Labyrinth ChollimaHidden CobraDiamond SleetGroup 77Whois Hacking TeamAPT-C-26NewRomanic Cyber Army TeamUNC2970UNC577TraderTraitorTA404SectorA01ATK 3Gods DisciplesApplewormGuardians of PeaceUNC4736DEV-0139ITG03Lazarus GroupUNC4034Jade SleetZincHastati GroupUNC4899Gods Apostles

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

  • Initiate your organization’s incident response plan.
  • Generate new keys for wallets, and/or move to new wallets.
  • Introduce a two-factor authentication solution as an extra layer of verification.  
  • Use hardware wallets, which keep the private keys in a separate, secured storage area.
  • To move funds out off a compromised wallet:
    • Do not use the malware listed in this advisory to transfer funds, and  
    • Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them.
  • Remove impacted hosts from network.
  • Assume the threat actors have moved laterally within the network and downloaded additional malware.
  • Change all passwords to any accounts associated with impacted hosts.
  • Reimage impacted host(s).  
  • Install anti-virus software to run daily deep scans of the host.
  • Ensure your anti-virus software is setup to download the latest signatures daily.
  • Install a Host Based Intrusion Detection (HIDS)-based software and keep it up to date.
  • Ensure all software and hardware is up to date, and all patches have been installed.
  • Ensure network-based firewall is installed and/or up to date.
  • Ensure the firewall’s firmware is up to date.

Reports & References1

Observed Countries29

AR (265)
AU (675)
BE (70)
BR (973)
CN (592)
DE (697)
DK (803)
EE (322)
ES (359)
GB (511)
HK (339)
HU (383)
IL (285)
IN (404)
IT (378)
JP (65)
LU (753)
MT (924)
NL (683)
NZ (88)
PL (397)
RU (315)
SA (25)
SE (652)
SG (568)
SI (527)
TR (180)
UA (383)
US (313)