This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.
This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.
There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.
The U.S. Government has identified AppleJeus malware version—JMT Trading—and associated IOCs used by the North Korean government in AppleJeus operations.
JMT Trading malware, discovered by a cybersecurity company in October 2019, is a legitimate-looking cryptocurrency trading software that is marketed and distributed by a company and website—JMT Trading and jmttrading[.]org, respectively—that appear legitimate.
For a downloadable copy of IOCs, see: MAR-10322463-2.v1.stix.
Submitted Files (6)
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 (jmttrader.msi)
081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 (JMTTrader.exe)
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 (jmttrader_mac.dmg)
7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea (JMTTrader)
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 (CrashReporter.exe)
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 (CrashReporter)
Domains (2)
beastgoc.com
jmttrading.org
Findings
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542
Tags
backdoordroppertrojan
Details
Name | jmttrader.msi |
---|---|
Size | 11524608 bytes |
Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {A2814B39-244E-4899-81F9-F995B8DC1A80}, Number of Words: 2, Subject: JMTTrader, Author: JMT Trading Group LLC, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install JMTTrader., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
MD5 | c4aa6f87124320eadc342d2fe7364896 |
SHA1 | 4fcc84583126689d03acf69b9fca5632f7d44752 |
SHA256 | 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 |
SHA512 | 51b34ae0a0e9252705206f2d9e87136706f51a70cc110e8493ff1266303ae33f09c1e89f329ae8f776a610c88f155e02afeb63a8bc7762ce307143fdff944172 |
ssdeep | 196608:p/5qF8q187MZjfZjowfMjVS9Qkj6YotsEXw6xws8CV/KFmpZ3zyl:B5qCyBfRfMjVS4RXw6EFF |
Entropy | 7.962353 |
Antivirus
Ahnlab | MSI/Dropper |
---|---|
Avira | TR/Agent.rhbwd |
Comodo | Malware |
Ikarus | Trojan.Win32.Agent |
Microsoft Security Essentials | Backdoor:Win32/Stealer.A!MSR |
NetGate | Trojan.Win32.Malware |
Symantec | Trojan.Gen.MBT |
TrendMicro | Backdoo.80EE6F49 |
TrendMicro House Call | Backdoo.80EE6F49 |
Relationships
07c38ca1e0… | Downloaded_From | jmttrading.org |
07c38ca1e0… | Contains | 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 |
07c38ca1e0… | Contains | 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 |
Description
This Windows program from the JMTTrade GitHub site is a Windows MSI Installer. The installer looks legitimate and previously had a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for “jmttrading.org.” The installer asks for administrative privileges to run and while installing “JMTTrader.exe” (081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6) in the “C:\Program Files (x86)\JMTTrader” folder, it also installs “CrashReporter.exe” (9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641) in the “C:\Users\<username>\AppData\Roaming\JMTTrader” folder. Immediately after installation, the installer launches “CrashReporter.exe” with the “Maintain” parameter.
Screenshots
Figure 1 – Screenshot of the JMTTrader Installation.
jmttrading.org
Tags
command-and-control
Whois
Whois for jmttrading.org had the following information on October 11, 2019:
Registrar: NameCheap
Created: July 11, 2019
Expires: July 11, 2020
Updated: September 10, 2019
Relationships
jmttrading.org | Downloaded_To | 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 |
jmttrading.org | Downloaded_To | 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 |
Description
This site contained a “Download from GitHub” button which takes the user to the JMTTrader GitHub page (github.com/jmttrading/JMTTrader/releases) where both Windows and OSX versions of JMTTrader were available for download. There are also zip and a tar.gz files containing the source code. JMT Trading has a legitimately signed Sectigo SSL certificate. The SSL certificate was “Domain Control Validated,” just as the Celas LLC certificate for AppleJeus variant 1. The domain was registered at the IP address 198.187.29.20 with ASN 22612.
081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6
Tags
trojan
Details
Name | JMTTrader.exe |
---|---|
Size | 2645744 bytes |
Type | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 70cf78e117359b17f079c128fcead8c8 |
SHA1 | 8ec7f4b39f0843e5eae3b8af01578fd8e4432995 |
SHA256 | 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 |
SHA512 | 8e21ea416f4c58743183394a28e347bc5c45f40306a8ffa7eef8403cf340538acf0794fd7bfdf60e120822fae5a21fc0f15de28cdf91d64f866781eb260b302e |
ssdeep | 49152:RHvo5BtSCkrN6DyhGr2W8Ujk4DJX4TnKuwdJg0b:65+rN+8GSog4lX/ |
Entropy | 7.024119 |
Antivirus
Emsisoft | MalCert.A (A) |
---|---|
Sophos | Mal/BadCert-Gen |
PE Metadata
Compile Date | 2019-07-29 03:06:34-04:00 |
---|---|
Import Hash | 03d73bcb914fff965a82c9d9fe1fb7a1 |
Company Name | JMT Trading Group |
File Description | JMT Trader |
Internal Name | JMT Trader |
Legal Copyright | JMT Trading Group (C) 2019 |
Original Filename | JMTTrader.exe |
Product Name | Automatic Secure Bitcoin Trader Application |
Product Version | 1.40.42 |
PE Sections
MD5 | Name | Raw Size | Entropy |
---|---|---|---|
f9a353aa651137f95669fd2b1a50e70b | header | 1024 | 3.181420 |
d00e20fb387da8ab6898391019288f30 | .text | 1181696 | 6.125747 |
c7fcd13c45b7c15042b8024839cf18c4 | .rdata | 1269248 | 7.095514 |
7504000617caec62a5a3221a785a58a8 | .data | 6144 | 4.261115 |
55550745e0d79ebbad96ac438f26f8a1 | .rsrc | 13312 | 7.626081 |
8ae8dead88483b69b09b01b024e882a2 | .reloc | 165376 | 6.784821 |
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.? |
Relationships
081d173942… | Contained_Within | 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 |
Description
This file is a 32-bit Windows executable contained within the Windows MSI Installer “JMTTrader_Win.msi.” When executed, “JMTTrader.exe” asks for the user’s exchange, and then loads a legitimate cryptocurrency trading platform with no signs of malicious activity.
“JMTTrader.exe” is similar in appearance to version 1 and QT Bitcoin Trader. In addition to similar appearance, many strings found in “JMTTrader.exe” have QT Bitcoin Trader references and parameters being set to “JMT Trader” including but not limited to:
–Begin similarities–
String_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader
String_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader is a free Open Source project<br>developed on pure C++ Qt and OpenSSL.
QtBitcoinTraderClass
July IGHOR (note: Ighor July is one of the developers of QT Bitcoin Trader)
–End similarities–
The strings also reference the name “Gary Mendez” with email [email protected] as the author of “JMTTrader.exe.” There is also reference to an additional GitHub repository under the name Gary Mendez “github.com/garymendez/JMTTrader/issues.”
While the JMTTrader application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for Windows is not available for download as an MSI, but only as a Windows portable executable. This is a singular file named “QtBitcoinTrader.exe” and does not install or run any additional programs. The JMTTrader MSI contains “JMTTrader.exe,” the modified version of QT Bitcoin Trader, as well as the additional “CrashReporter.exe” (9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641) executable not included with the original QT Bitcoin Trader.
Screenshots
Figure 2 – Screenshot of the JMTTrader Application.
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
Tags
backdoortrojan
Details
Name | CrashReporter.exe |
---|---|
Size | 609008 bytes |
Type | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 48971e0e71300c99bb585d328b08bc88 |
SHA1 | ec8d7264953b5e9e416b7e8483954d9907278f2f |
SHA256 | 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 |
SHA512 | 6a664cd56e2201237bb24c148f39db6878e7cb6bb507290144f4cea327989535dbea64db11de398eee822aae56e873126dc95e2abf73642070f5f15c61d9eb19 |
ssdeep | 12288:VhOHEwPzMEoJ1BpfYYPmrv3l1dxs6GWRGuGTi2euRBFXTnn8HPIRlxhD44ENrYAt:zOHEwPzMEoJ1BpfYYPmrv3l1dxs6GWRz |
Entropy | 6.526076 |
Antivirus
Ahnlab | Trojan/Win32.Stealer |
---|---|
Antiy | Trojan[Backdoor]/Win32.Stealer |
Avira | TR/Agent.lnumk |
BitDefender | Gen:Variant.Razy.567005 |
Comodo | Malware |
ESET | a variant of Win32/NukeSped.GN trojan |
Emsisoft | MalCert.A (A) |
Ikarus | Trojan.Win32.Agent |
K7 | Trojan ( 005597f41 ) |
Lavasoft | Gen:Variant.Razy.567005 |
Microsoft Security Essentials | Backdoor:Win32/Stealer.A!MSR |
NANOAV | Trojan.Win32.Crypted.gczdoi |
NetGate | Trojan.Win32.Malware |
Sophos | Troj/APosT-L |
Symantec | Trojan.Gen.2 |
Systweak | trojan.nukesped |
TrendMicro | Backdoo.80EE6F49 |
TrendMicro House Call | Backdoo.80EE6F49 |
VirusBlokAda | Backdoor.Agent |
Zillya! | Trojan.NukeSped.Win32.182 |
PE Metadata
Compile Date | 2019-10-04 03:22:31-04:00 |
---|---|
Import Hash | 1513eba25694f99cecbcdc6cb414f6bd |
PE Sections
MD5 | Name | Raw Size | Entropy |
---|---|---|---|
cedc0880c9b0b6fea37e0079f1a4b406 | header | 1024 | 2.832478 |
189feb1b74269eaa7894c984df4268c3 | .text | 367104 | 6.351925 |
03c4cd021cfac8b5a8c0b944712e3217 | .rdata | 78336 | 4.408592 |
cf410dbcdd83eb2426120e72027f119b | .data | 130048 | 5.206737 |
bf619eac0cdf3f68d496ea9344137e8b | .rsrc | 512 | 0.000000 |
fe66dfb20b91197d86cc8bbf0fc7139c | .reloc | 23040 | 6.417054 |
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.? |
Relationships
9bf8e8ac82… | Contained_Within | 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 |
9bf8e8ac82… | Connected_To | beastgoc.com |
Description
This file is a 32-bit Windows executable contained within the Windows MSI Installer “JMTTrader_Win.msi.” Unlike the first version of the malware, “CrashReporter.exe” is installed in the “C:\Users\<username>\AppData\Roaming\JMTTrader,” which is a different folder than “JMTTrader.exe.” “CrashReporter.exe” is heavily obfuscated with the ADVObfuscation library, which has been renamed “snowman” by the malware writer. ADVObfuscation is described as using C++ 11/14 language to generate, at compile time, obfuscated code without using any external tool and without modifying the compiler and introduces some form of randomness to generate polymorphic code like the encryption of strings literals and the obfuscation of calls using finite state machines. Due to this obfuscation, detailed functionality can be difficult to determine to the extent of the non-obfuscated “Updater.exe” binary.
At launch, “CrashReporter.exe” first checks for the “Maintain” parameter and if not found, exits the program to likely evade detection in a sandbox environment. The malware collects basic victim information and encrypts the data with the hardcoded XOR key “X,%`PMk–Jj8s+6=15:20:11.”
The encrypted data is sent to “hxxps[:]//beastgoc.com/grepmonux.php” with a multipart form data separator “–wMKBUqjC7ZMG5A5g.”
The malware’s capabilities include reading/writing itself to various directories, querying/writing to the registry, searching for files, extract/decode payload, and terminating processes. “CrashReporter.exe” also creates a scheduled SYSTEM task named “JMTCrashReporter,” which runs the “CrashReporter.exe” program with the “Maintain” parameter at the login of any user.
Screenshots
Figure 3 – Hard-coded XOR key and XOR encryption.
Figure 4 – Screenshot of the “JMTCrashReporter” scheduled task.
beastgoc.com
Tags
command-and-control
URLs
- https[:]//beastgoc.com/grepmonux.php
Whois
Whois information for the domain beastgoc.com on October 11, 2019 was as follows:
Registrar: NameCheap
Created Date: July 19, 2019
Expiration Date: July 19, 2020
Relationships
beastgoc.com | Connected_From | 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 |
beastgoc.com | Connected_From | e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 |
Description
The site “beastgoc.com” had as valid digital signature signed by Sectigo. This is a “Domain Control Validated” signature, which is the lowest level of validation. The domain was registered at the IP address 185.228.83.32 with ASN 205406.
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806
Tags
backdoortrojan
Details
Name | jmttrader_mac.dmg |
---|---|
Size | 13583316 bytes |
Type | zlib compressed data |
MD5 | 39cdf04be2ed479e0b4489ff37f95bbe |
SHA1 | 74390fba9445188f2489959cb289e73c6fbe58e4 |
SHA256 | 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 |
SHA512 | d04bc9adbe56414ec2cba134ebf8af42ef79495a89748367464e73c6dd69fd978a194df23a646ff90d45114bf68a93f580cd540ba3b600a6524b198294416148 |
ssdeep | 393216:sEFxMIZkTx7Nzm4qbicUC7Gk6RH1NBTtJRr49Hg4pgl:sEFiIYw4u8HxTDOi |
Entropy | 7.997633 |
Antivirus
Ahnlab | Backdoor/OSX.NukeSped |
---|---|
Antiy | Trojan/Win32.Casdet |
Avira | OSX/W97M.CVE-2017-8759.wrdas |
BitDefender | Trojan.MAC.Lazarus.G |
Comodo | Malware |
Cyren | Trojan.HUJK-1 |
ESET | OSX/NukeSped.B trojan |
Emsisoft | Trojan.MAC.Lazarus.G (B) |
Ikarus | Trojan.Win32.Casdet |
Lavasoft | Trojan.MAC.Lazarus.G |
McAfee | OSX/Nukesped.d |
Microsoft Security Essentials | Trojan:MacOS/NukeSped.A!MTB |
Sophos | OSX/Lazarus-E |
Symantec | OSX.Trojan.Gen |
TrendMicro | Backdoo.6FE2634B |
TrendMicro House Call | Backdoo.6FE2634B |
Zillya! | Backdoor.Agent.OSX.57 |
Relationships
4d6078fc1e… | Downloaded_From | jmttrading.org |
4d6078fc1e… | Contains | 7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea |
4d6078fc1e… | Contains | e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 |
Description
This OSX program from the JMTTrader GitHub is an Apple DMG installer. The OSX program has very similar functionality to the Windows program, but does not have a digital signature. Again, the installer appears to be legitimate and installs both JMTTrader in the “/Applications/JMTTrader.app/Contents/MacOS/” folder and a hidden program named “.CrashReporter” in the “/Applications/JMTTrader.app/Contents/Resources/” folder. The installer contains a postinstall script (see Figure 5).
This postinstall script has similar functionality to the postinstall script of the first version but has a few additional features. It still moves the hidden plist file (.com.jmttrading.plist) to the LaunchDaemons folder, but also changes the file permissions on the plist. Once in the LaunchDaemons folder, this program will be ran on system load as root for every user, which will launch the CrashReporter program with the Maintain parameter.
The postinstall script also moves the “.CrashReporter” program to a new location “/Library/JMTTrader/CrashReporter” and makes it executable. Like CelasTradePro, as the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script then launches the CrashReporter program with the Maintain parameter and runs it in the background (&).
The package also has “Developed by Gary Mendez. JMTTrading Group” in the Info.plist properties file.
Screenshots
Figure 5 – Screenshot of the postinstall script included in OSX JMTTrader installer.
Figure 6 – Screenshot of the “com.jmttrading.plist” file.
7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea
Tags
trojan
Details
Name | JMTTrader |
---|---|
Size | 3585364 bytes |
Type | Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE> |
MD5 | ffc2a7073ba362b295357ac6e782634a |
SHA1 | 6d13e85cd812e249ab950ec405e84289de9cfe5e |
SHA256 | 7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea |
SHA512 | 1d14e41e306816323fcaa54fb7f420148c50fc0388a86178a41ce63c9fc5b1f29d2614d9c8445a13198c6920d4bded3dbf48641ee4795dbef4b78e6c48b91a80 |
ssdeep | 98304:rDhoAFpEA86GIleAdNH2vFywLw6mkJarN+8GSy:b5HrNiSy |
Entropy | 6.796243 |
Relationships
7ea6391c11… | Contained_Within | 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 |
Description
This OSX sample was contained within Apple DMG Installer “JMTTrader_Mac.dmg.” When exexuted, JMTTrader has identical functionality and appearance to the Windows JMTTrader.exe. It asks for the user’s exchange and loads a legitimate cryptocurrency trading application with no signs of malicious activity. While the appearance has changed slightly from the CelasTradePro application, JMTTrader is close in appearance to both CelasTradePro and QT Bitcoin Trader, and is likely a modification of the OSX QT Bitcoin Trader.
In addition to similar appearance, many strings found in JMTTrader have QT Bitcoin Trader references and parameters being set to “JMT Trader” including but not limited to:
–Begin similarities–
String_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader
String_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader is a free Open Source project<br>developed on pure C++ Qt and OpenSSL.
User-Agent: Qt Bitcoin Trader v1.40.42
July IGHOR (note: Ighor July is one of the developers of QT Bitcoin Trader)
–End similarities–
The strings also reference the name “Gary Mendez” with email [email protected] as the author of JMTTrader.exe. There is also reference to an additional GitHub repository under the name Gary Mendez “github.com/garymendez/JMTTrader/issues.”
While the JMTTrader application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader DMG for OSX does not contain the postinstall script nor the plist file which creates a LaunchDaemon. When executed, only QTBitcoinTrader will be installed, and no additional programs will be created, installed, or launched.
In contrast, the JMTTrader DMG contains the CelasTradePro OSX executable, the modified version of QT Bitcoin Trader, as well as the additional CrashReporter OSX executable not included with the original QT Bitcoin Trader.
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
Tags
trojan
Details
Name | CrashReporter |
---|---|
Size | 39168 bytes |
Type | Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE> |
MD5 | 6058368894f25b7bc8dd53d3a82d9146 |
SHA1 | 8644da026f9e8873dd8699bd68c77a25001be726 |
SHA256 | e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 |
SHA512 | d849270a89d8ab52006dd92557d82e9966ecb9a8958a1e84510ef67bc085fa4f6eb7142c0b045e3aa9932e5a270981aba7f3fc147222d9277272c227e246797e |
ssdeep | 384:TgSifNpZ0XMY923gMnldxdzd7tmEtP0lLnXjXZfV:TgTFp8EgMD9WXj |
Entropy | 2.672204 |
Antivirus
Ahnlab | OSX/Agent |
---|---|
Antiy | Trojan/Mac.NukeSped |
Avira | OSX/Agent.qhhyt |
BitDefender | Trojan.MAC.Agent.DU |
ClamAV | Osx.Malware.Agent-7335874-0 |
ESET | OSX/NukeSped.B trojan |
Emsisoft | Trojan.MAC.Agent.DU (B) |
Ikarus | Trojan.OSX.Agent |
Lavasoft | Trojan.MAC.Agent.DU |
McAfee | OSX/Nukesped.a |
Microsoft Security Essentials | Trojan:MacOS/NukeSped.A!MTB |
NANOAV | Trojan.Mac.NukeSped.gdjieu |
Quick Heal | MacOS.Trojan.39995.GC |
Sophos | OSX/Lazarus-E |
Symantec | OSX.Trojan.Gen |
TrendMicro | Trojan.BC5298BA |
TrendMicro House Call | Trojan.BC5298BA |
Zillya! | Trojan.NukeSped.OSX.2 |
Relationships
e352d6ea4d… | Contained_Within | 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 |
e352d6ea4d… | Connected_To | beastgoc.com |
Description
This OSX sample was contained within Apple DMG Installer “JMTTrader_Mac.dmg.” CrashReporter likely functions very similarly to the Windows CrashReporter.exe program, but unlike the Windows program, it is not obfuscated. This lack of obfuscation makes it easier to determine the program’s functionality in detail.
Upon launch, the malware checks for the “Maintain” parameter, and will exit if the parameter is not found, likely to avoid sandbox analysis.
CrashReporter then creates a randomly generated token (identifier) and collects the binary’s version and process ID to send to the server. This data is XOR encrypted with the hard-coded key “X,%`PMk–Jj8s+6=\x02” (last value is a non-printable ASCII character which is hexadecimal \x02). While the key is different than the XOR key for the Windows sample, the first 16 bytes are the same.
The encrypted data is sent to the same C2 server as the Windows sample at hxxps[:]//beastgoc.com/grepmonux.php with the multipart data form separator “jGzAcN6k4VsTRn9”. CrashReporter also has a hard-coded user-agent string: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36” along with other hard-coded values sent with the data including “token,” “query,” and “mont.jpg.”
If CrashReporter receives a response with the HTTP code 200 (successful), it will invoke another function which will wait for tasking from the C2 server. When a tasking is received, the function decrypts the data with the same hardcoded XOR key and processes the tasking. Accepted tasking commands include the following:
–Begin accepted tasking commands–
“exit”: this command will cause CrashReporter to gracefully exit
“up”: this command will upload a file from the C2 server to the infected host
“stand ”: this command will execute commands from the server via the shell using the popen API (the “popen()” function opens a process by creating a bidirectional pipe, forking, and invoking the shell)
–End accepted tasking commands–
These possible commands from the C2 server gives the remote attacker full control over the OSX system. It is likely that the functionality of the Windows CrashReporter.exe is the same as this OSX malware, as the original AppleJeus had the same functionality on both operating systems.
Screenshots
Figure 7 – Screenshot of the maintain parameter verification in CrashReporter.