Skip to content

S0584 AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.1

Item Value
ID S0584
Associated Names
Version 1.1
Created 01 March 2021
Last Modified 28 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols AppleJeus has sent data to its C2 server via POST requests.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service AppleJeus can install itself as a service.1
enterprise T1543.004 Launch Daemon AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.12
enterprise T1140 Deobfuscate/Decode Files or Information AppleJeus has decoded files received from a C2.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.016 Installer Packages During AppleJeus‘s installation process, it uses postinstall scripts to extract a hidden plist from the application’s /Resources folder and execute the plist file as a Launch Daemon with elevated permissions.2
enterprise T1041 Exfiltration Over C2 Channel AppleJeus has exfiltrated collected host information to a C2 server.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion AppleJeus has deleted the MSI file after installation.1
enterprise T1027 Obfuscated Files or Information AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link AppleJeus has been distributed via spearphishing link.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing AppleJeus has used a valid digital signature from Sectigo to appear legitimate.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec AppleJeus has been installed via MSI installer.1
enterprise T1082 System Information Discovery AppleJeus has collected the victim host information after infection.1
enterprise T1569 System Services -
enterprise T1569.001 Launchctl AppleJeus has loaded a plist file using the launchctl command.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link AppleJeus‘s spearphishing links required user interaction to navigate to the malicious website.1
enterprise T1204.002 Malicious File AppleJeus has required user execution of a malicious MSI installer.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion AppleJeus has waited a specified time before downloading a second stage payload.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1