Fake crypto app leveraged for AppleJeus malware distribution in new Lazarus attack

Networks and cryptocurrency assets have been targeted by North Korean state-sponsored hacking group Lazarus in the new BloxHolder campaign, which leverages fraudulent cryptocurrency apps to distribute the AppleJeus malware, BleepingComputer reports. From June to October, Lazarus spread AppleJeus through the "bloxholder[.]com" domain, which clones the automated crypto trading platform HaasOnline, according to a Volexity report. While Lazarus initially used a Windows MSI installer masquerading as the BloxHolder app to spread AppleJeus, the hacking group moved to leverage Microsoft Office files for malware distribution in October. The report showed that installation of the malware would prompt the creation of scheduled task and drop additional files in the "%APPDATA%RoamingBloxholder" folder, followed by MAC address, computer name, and OS version collection. Such data will then be given to the command-and-control server to determine potential virtual machine or sandbox usage. Moreover, antivirus system detection is being bypassed through chained DLL sideloading for malware loading.