S0584 AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.1
| Item | Value |
|---|---|
| ID | S0584 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 01 March 2021 |
| Last Modified | 28 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | AppleJeus has sent data to its C2 server via POST requests.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | AppleJeus can install itself as a service.1 |
| enterprise | T1543.004 | Launch Daemon | AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | AppleJeus has decoded files received from a C2.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.016 | Installer Packages | During AppleJeus‘s installation process, it uses postinstall scripts to extract a hidden plist from the application’s /Resources folder and execute the plist file as a Launch Daemon with elevated permissions.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | AppleJeus has exfiltrated collected host information to a C2 server.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | AppleJeus has deleted the MSI file after installation.1 |
| enterprise | T1027 | Obfuscated Files or Information | AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | AppleJeus has been distributed via spearphishing link.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | AppleJeus has used a valid digital signature from Sectigo to appear legitimate.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | AppleJeus has been installed via MSI installer.1 |
| enterprise | T1082 | System Information Discovery | AppleJeus has collected the victim host information after infection.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.001 | Launchctl | AppleJeus has loaded a plist file using the launchctl command.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | AppleJeus‘s spearphishing links required user interaction to navigate to the malicious website.1 |
| enterprise | T1204.002 | Malicious File | AppleJeus has required user execution of a malicious MSI installer.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | AppleJeus has waited a specified time before downloading a second stage payload.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |