FBI Warning: North Korea ramping up its ‘AppleJeus’ crypto hacks

In terms of its hacking history, North Korea is no shrinking violet. In the past decade, for example, state-sponsored hackers the Lazarus Group—also known as Hidden Cobra by U.S. authorities, and Zinc by Microsoft— have been involved in several large-scale cyberattacks that primarily targeted the U.S. and South Korea. These attacks have included a DDoS attack on major South Korean and U.S. websites, several attacks on financial institutions and media outlets and a highly publicized attack on Sony in 2014.

In a 2020 report, crypto intelligence firm Recorded Future wrote that for the North Korean political and military elite the internet is not simply a fascination or leisure activity, but is a “critical tool for revenue generation, gaining access to prohibited technologies and knowledge, and operational coordination.”

FBI releases North Korean ‘AppleJeus’ warning

On February 17th the FBI released an alert warning that the Lazarus Group was escalating its AppleJeus (pronounced Apple Juice), malware attacks on companies and individuals. The Bureau said North Korea would be targeting cryptocurrency exchanges and financial service companies in particular. The method of attack would be by spreading hacked crypto trading apps that had been modified to steal cryptocurrency.

The alert says that the affected apps work on both Windows and Mac operating systems. They appear to have been sent by a reputable crypto company and appear legitimate – tricking victims into downloading and installing them. The FBI says the apps are circulating under the following names; Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio and Ants2Whale. AppleJeus attacks have been recorded in 30 countries in the last 12 months.

The FBI says crypto users can protect themselves against AppleJeus by:

• Verifying the source of cryptocurrency-related applications.
• Using multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.
• Using custodial accounts with multi-factor authentication mechanisms for both device and user verification.
• Using cryptocurrency service businesses that have indemnity protections for stolen cryptocurrency.
• Having a unique dedicated device for cryptocurrency management.

Lazarus Group evolves with the market

In 2020 the Lazarus Group targeted several cryptocurrency and financial vertical firms with a phishing campaign to gain access to crypto wallets and bank accounts. Researchers at F-Secure said employees were typically targeted via Linkedin messages which arrived with phishing documents attached. The document would be disguised as a job advertisement for a role in a blockchain company that matched the admin’s skills. Once the victim clicked on the malicious document, a pop-up would say it was protected under GDPR restrictions and the user would have to enable macros in Microsoft Word to access the content. Once the Macro was enabled malicious code would execute.

The payload of the attack would enable the hackers to download files, decompress data in memory, initiate command and control communication, execute arbitrary commands, and steal credentials and other data for accessing cryptocurrency wallets and bank accounts.

Other common attack vectors from the Lazarus Group include: a request for assistance with creating a website with romantic undertones, documentation on a blockchain technology called ALCHAIN, a request for assistance with creating an Initial Coin Offering (ICO), a whitepaper for an ICO, a request application to develop a cryptocurrency exchange platform, and a request for help creating an email marketing tool.

In May 2020, Lazarus was also behind MacOS spyware that hid in a 2 Factor Authentication (2FA) application. In July, it targeted online payments made by American and European customers using Advanced Package Tool (APT) software.

Lazarus carried out 2020’s biggest cryptocurrency exchange heist against KuCoin. The Singapore-based exchange lost around USD275 million of Bitcoin, Ethereum, and other ERC20 tokens. This attack alone amounted to half the cryptocurrency stolen in 2020. Lazarus has previously successfully hacked South Korean exchanges Upbit in 2019 and Coinlink and Bithumb in 2017. They are also thought to be responsible for an attack on Slovenian hash power provider Nicehash in 2017.

An interesting element of the 2020 KuCoin hack was Lazarus’s use of Decentralized Finance (DeFi) platforms to launder stolen funds. With many DeFi platforms and exchanges users can remain anonymous and there are few KYC or AML provisions – an ideal scenario for cyber-criminals.

Illicit Monero mines channeling funds to Pyongyang

Stealing cryptocurrencies from exchanges and wealthy users is not the only cryptocurrency-related activity that North Korean hackers are involved in. The country is also behind spreading web-based Monero (XMR) mining malware, which mines the anonymous cryptocurrency using the CPU power of users (without their knowledge) who have visited infected websites. Monero is one of several cryptocurrencies that can be mined with a standard desktop computer.

Recorded Future says that network traffic for Monero (XMR) mining originating from North Korean IP addresses increased “at least tenfold” in 2019. The mined Monero is being sent to an address at the Kim Il Sung University in Pyongyang, North Korea.

Monero mining software has been made popular by CoinHive, which promotes web-based Monero mining as an alternative monetization stream for websites that prefer not to run adverts. However, if users of a site are not made aware of the Monero mining script that is using up their CPU power, the use of this software is considered malicious.

The Biden administration’s upcoming review of the US’s strategy in North Korea will include taking into account investigations into the country’s cybercrime capabilities says State department spokesperson Ned Price. Price’s comments come after three North Koreans were charged by the Department of Justice for “participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.”

North Korea’s history of crypto hacking

In 2017 North Korea’s cybercriminals started focusing their attention on cryptocurrencies as a new source of funds for the beleaguered regime. The Lazarus Group began targeting South Korean bitcoin exchanges and bitcoin users and stealing crypto holdings using spear-phishing campaigns against exchange employees and individual users.

The first reported North Korean hack of a South Korean bitcoin exchange happened in February 2017 when Bithumb was hacked for around $7 million worth of crypto. Throughout the year, numerous successful cryptocurrency cyber thefts occurred in South Korea, including at the bitcoin exchange Youbit, which was forced to declare bankruptcy after 17 percent of its total assets were stolen.

The WannaCry ransomware attack

In May 2017 the global ransomware attack commonly known as the WannaCry attack, was also conducted out of North Korea in an attempt to generate income through bitcoin ransomware payments. During the WannaCry attack, numerous international corporations and public sector institutions were affected and forced to pay a bitcoin ransom to regain access to their systems. In total, over 400,000 machines were affected by the malware worldwide.

While the attackers only managed to earn $120,000 worth of bitcoin in ransom payments, the attacks nonetheless caused havoc for organizations such as the Deutsche Bundesbahn (DB) and the National Health Service (NHS) in the United Kingdom.