AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.[1] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
AppleJeus has sent data to its C2 server via |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.[1] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
.004 | Create or Modify System Process: Launch Daemon |
AppleJeus has placed a plist file within the |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1041 | Exfiltration Over C2 Channel |
AppleJeus has exfiltrated collected host information to a C2 server.[1] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
AppleJeus has added a leading |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
Enterprise | T1027 | Obfuscated Files or Information |
AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[1] |
|
Enterprise | T1566 | .002 | Phishing: Spearphishing Link | |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.[1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
AppleJeus has used a valid digital signature from Sectigo to appear legitimate.[1] |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec | |
Enterprise | T1082 | System Information Discovery |
AppleJeus has collected the victim host information after infection.[1] |
|
Enterprise | T1569 | .001 | System Services: Launchctl |
AppleJeus has loaded a plist file using the |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
AppleJeus's spearphishing links required user interaction to navigate to the malicious website.[1] |
.002 | User Execution: Malicious File |
AppleJeus has required user execution of a malicious MSI installer.[1] |
||
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
AppleJeus has waited a specified time before downloading a second stage payload.[1] |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |