![]() The search for the DLL is done in that order and the first one found gets loaded. The same folder/directory the executable is in.When an executable loads a dynamic link library (DLL) in Windows, it looks for the library in a few locations. ![]() In the background, the installer creates a Scheduled Task which executes the legitimate executable CameraSettingsUIHost.exe at logon of any user on the affected system. The start screen of the BloxHolder installer In fact, it was the AppleJeus malware bundled with the QTBitcoinTrader app, an open source cryptocurrency trading application which has been used by Lazarus before. The cloned website distributed a Windows MSI installer that pretended to be an installer for the BloxHolder app. HaasOnline is a Dutch company that developed HaasScript which is a crypto scripting language that allows users to create complex automated trading algorithms. The website Lazarus Group built there is a clone of the legitimate website HaasOnline. The campaign started when Lazarus Group registered the domain bloxholdercom. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions. In April, CISA warned that Lazarus Group uses these trojanized applications to gain access to victims' computers, spread other malware, and steal private keys or to exploit other security gaps. Since 2018, one of Lazarus Group's tactics has been to disguise AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. One of the group's preferred tactics is to use trojanized cryptocurrency related apps, like AppleJeus. ![]() It is thought to conduct financial cybercrimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions. ![]() The Lazarus group is commonly believed to be run by the North Korean government. Now, researchers at Volexity have analyzed a new campaign that is likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by using malicious Microsoft Office documents. In January of 2022 the Malwarebytes Intelligence Team uncovered a campaign where Lazarus conducted spear phishing attacks weaponized with malicious documents that used a familiar job opportunities theme. It's been active since 2009 and is responsible for many high profile attacks. The North Korean Lazarus Group, aka APT38, is one of the most sophisticated North Korean APTs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |