MAR-10322463-1.v1 - AppleJeus: Celas Trade Pro
body#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size: 15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise { width: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size: 18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold; margin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; } div#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width: 780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px; background-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td, .cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color: #f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap: break-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align: center; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width: auto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; } div.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position: absolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px solid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag { border-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning { background: #ffdead; }
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency. This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A. There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate. The U.S. Government has identified AppleJeus malware version—Celas Trade Pro—and associated IOCs used by the North Korean government in AppleJeus operations. In August 2018, open source reporting revealed information about a Trojanized version of a legitimate cryptocurrency trading application on a victim’s computer (Note: identity of the victim was not disclosed). The malicious program, known as Celas Trade Pro, is a modified version of the benign QT Bitcoin Trader application. This incident led to the victim company being infected with the malware known to the U.S. Government as FALLCHILL, a North Korean remote administration tool (RAT). According to CISA, FALLCHILL “is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDENCOBRA malware. Because of this, additional HIDDENCOBRA malware may be present on systems compromised with FALLCHILL." Celas Trade Pro had been recommended to the victim company via a phishing email from a company known as Celas Limited. The email provided a link to the Celas Limited website (https://www[.]celasllc.com), where the user could download a Windows or MacOS version of the Celas Trade Pro software.
For a downloadable copy of IOCs, see: MAR-10322463-1.v1.stix. Submitted Files (6)5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0 (Updater) 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69 (celastradepro_win_installer_1....) a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765 (CelasTradePro.exe) bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb (Updater.exe) c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70 (CelasTradePro) d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04 (celastradepro_mac_installer_1....) Domains (1)celasllc.com Findings6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69Tagsdroppertrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis Windows program from the Celas LLC site is a Windows MSI Installer. The installer looks legitimate and previously had a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate purchased by the same user as the Secure Sockets Layer (SSL) certificate for "celasllc.com." The installer asks for administrative privileges to run and while installing "CelasTradePro.exe" (a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765) it also installs "Updater.exe" in the “C:\Program Files (x86)\CelasTradePro” folder. Immediately after installation, the installer launches "Updater.exe" (bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) with the “CheckUpdate” parameter. Screenshots
Figure 1 - Screenshot of the CelasTradePro installation. celasllc.comTagscommand-and-control URLs
WhoisWhois for celasllc.com had the following information in August 2018: Relationships
DescriptionThe Celas Limited website had a professional appearance, and at the time had a valid Secure Sockets Layer (SSL) certificate issued by Comodo (now Sectigo). The SSL certificate was “Domain Control Validated," which is a weak security verification level for a webserver. Typically, this is a fully automated verification where the certificate requester only needs to demonstrate control over the domain name (i.e. with an email like admin[@]celasllc.com). This type of certificate necessitates no validation of the identity of the website’s owner, nor the existence of the actual business. At the time of analysis, the domain celasllc.com resolved to IP address 185.142.236.213, which belongs to the Netherlands Amsterdam Blackhost Ltd ISP, AS174, Cogent Communications. Screenshots
Figure 2 - Screenshot of the Celas LLC website. a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file is a 32-bit Windows executable contained within the Windows MSI Installer "celastradepro_win_installer_1.00.00.msi." When executed, "CelasTradePro.exe" asks for the user’s exchange and then loads a legitimate cryptocurrency trading platform with no signs of malicious activity. CelasTradePro is extremely similar in appearance to a version of an open source cryptocurrency trading platform available around the same timeframe known as QT Bitcoin Trader (screenshots 3 and 4). In addition to similar appearance, many strings found in CelasTradePro have QT Bitcoin Trader references and parameters being set to “Celas Trade Pro” including but not limited to: --Begin similarities-- The strings also reference the name “John Broox” as the author of CelasTradePro. While the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for Windows is not available for download as an MSI, but only as a Windows portable executable. This is a singular file named "QtBitcoinTrader.exe" and does not install or run any additional programs. The CelasTradePro MSI contains "CelasTradePro.exe," the modified version of QT Bitcoin Trader, as well as the additional "Updater.exe" (bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) executable not included with the original QT Bitcoin Trader. Screenshots
Figure 3 - Screenshot of the CelasTradePro application.
Figure 4 - Screenshot of the QT Bitcoin Trader application. bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69ebTagsdownloaderloaderspywaretrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file is a 32-bit Windows executable contained within the Windows MSI Installer "celastradepro_win_installer_1.00.00.msi." "Updater.exe" has the same program icon as CelasTradePro. Updater.exe was likely developed under the name “jeus” based on the build path “Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb” found in the code (partial origin of the name AppleJeus). "Updater.exe" collects victim host information and sends it back to the server. At launch the malware first checks for the “CheckUpdate” parameter and if not found, exits the program. This is likely to evade detection in a sandbox environment. If the "CheckUpdate" parameter is found, the malware creates a unique identifier for the system following the format “%09d-%05d." It then collects process lists excluding the “System” processes and queries the registry at “HKLM\SOFTWARE\Microsoft\Window NT\CurrentVersion” for the following values: --Begin values-- After collecting this information, "Updater.exe" encrypts the data with the hard-coded XOR key “Moz&Wie;#t/6T!2y," prepends the encrypted data with “GIF89a” (image header) and sends the data to "celasllc.com/checkupdate.php." The malware also uses a hard-coded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0” and multipart form data separator “jeus." If the malware receives a response with HTTP code 200, it will decode the base64 payload, then decrypt the result using the hard-coded RC4 decryption key “W29ab@ad%Df324V$Yd." The raw data is then written to a file prepended with the “MAX_PATHjeusD” string. Screenshots
Figure 5 - Screenshot of the "CheckUpdate" parameter verification in "Updater.exe."
Figure 6 - Hard-coded XOR key and XOR encryption in "Updater.exe." d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04Tagsdownloaderdropperloadertrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis OSX program from the Celas LLC site is an Apple DMG Installer. The OSX program has very similar functionality to the Windows program and also previously had a valid digital signature from Comodo. Again the installer appears to be legitimate, and installs CelasTradePro as well as a program named “Updater” in the “/Applications/CelasTradePro.app/Contents/MacOS/” folder. The installer contains a postinstall script (see figure 6). A postinstall script is a sequence of instructions which runs after the successful installation of an OSX application. This script moves the hidden “.com.celastradepro.plist” file from the installer package to the LaunchDaemons folder. This file is hidden because the leading “.” causes it to not be shown to the user if they view the folder in the Finder application. Once in the LaunchDaemons folder, this plist file will be ran on system load as root for every user. This will launch the Updater program with the CheckUpdate parameter. As the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script then launches the Updater program with the CheckUpdate parameter and runs it in the background (&). The package also has “Developed by John Broox. CELAS LLC” in the Info.plist properties file. Screenshots
Figure 7 - Screenshot of the postinstall script included in OSX Celas installer.
Figure 8 - Screenshot of the "com.celastradepro.plist" file. c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis OSX sample was contained within Apple DMG Installer "celastradepro_mac_installer_1.00.00.dmg." When executed, CelasTradePro has identical functionality and appearance to the Windows version CelasTradePro.exe. It asks for the users’ exchange and loads a legitimate cryptocurrency trading application with no signs of malicious activity. As functionality and appearance are the same, it follows that CelasTradePro is a modification of the OSX QT Bitcoin Trader. In addition to similar appearance, many strings found in CelasTradePro have QT Bitcoin Trader references and parameters being set to “Celas Trade Pro” including but not limited to: --Begin similarities-- The strings also reference the name “John Broox” as the author of CelasTradePro. While the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader DMG for OSX does not contain the postinstall script nor the plist file which creates a LaunchDaemon. When ran, only QTBitcoinTrader will be installed, and no additional programs will be created, installed, or launched. The CelasTradePro DMG contains the CelasTradePro OSX executable (the modified version of QT Bitcoin Trader) as well as the additional Updater OSX executable not included with the original QT Bitcoin Trader. Screenshots
Figure 9 - Screenshot of the legitimate QTBitcoinTrader DMG contents. 5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0Tagsbackdoordownloaderloadertrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis OSX sample was contained within Apple DMG Installer "celastradepro_mac_installer_1.00.00.dmg." Updater functions very similarly to the Windows Updater.exe, and collects victim host information to send back to the server. Upon launch, the malware checks for the “CheckUpdate” parameter, and just as the Windows sample, will exit if the parameter is not found. This is likely to avoid sandbox analysis. If the “CheckUpdate” parameter is found, the malware then creates a unique identifier for the system following the format “%09d-%06d." Updater then uses dedicated QT classes to get system information including host name, OS type and version, system architecture, and OS kernel type and version. The QT Framework is a cross-platform toolkit designed for creating multi-platform applications with native Graphical User Interfaces (GUI) for each platform. After collecting this data, Updater follows the same process as the Windows "Updater.exe" to encrypt and send the data. All data is XOR encrypted with the hard-coded key “Moz&Wie;#t/6T!2y”, prepended with “GIF89a” (image header), and sent to www[.]celasllc.com/checkupdate.php. The malware uses the same multipart form data separator “jeus” but has a different hard-coded user-agent string of “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36." If Updater receives a response with the HTTP code 200, it will decode the base64 payload, and decrypt it using the same hard-coded RC4 key “W29ab@ad%Df324V$Yd” as the Windows malware. The decrypted data is then saved to the hard-coded “/var/zdiffsec” file location, file permissions are changed to executable for all users, and the file is started with the hard-coded command line argument “bf6a0c760cc642." Screenshots
Figure 10 - Screenshot of the "CheckUpdate" parameter verification in "Updater."
Figure 11 - Screenshot of various hard-coded values in "Updater." Relationship Summary
ConclusionAfter a cyber-security organization published a report detailing the above programs and their malicious extras, the Celas LLC site was no longer accessible. As this site was the command and control server (C2), the payload cannot be confirmed. The cyber security organization who published the AppleJeus report states the payload was an encrypted and obfuscated binary which eventually drops FALLCHILL onto the machine and installs it as a service. The FALLCHILL sample found by the cyber security organization had two default C2 server addresses: The C2 185.142.236.226 resides in the same Autonomous System Number (ASN) and ISP as the celasllc.com domain. Furthermore, these IP addresses have been used in three earlier versions of FALLCHILL for C2 according to open source reporting: --Begin MD5 and timestamp-- File Properties for this sample of FALLCHILL after decryption: FALLCHILL malware uses a RC4 encryption algorithm with a 16-byte key to protect its communications. According to reporting from the cyber-security organization that published the original AppleJeus report, the key extracted from the FALLCHILL variant used in the Celas Trade Pro application is “DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B." This RC4 key has also been used in a previous version of FALLCHILL used by DPRK actors, as further documented in the US-CERT Malware Analysis Report AR18-165A released on June 14, 2018. This report was a joint effort by the FBI and DHS, while working with other U.S. Government partners, to analyze and attribute computer intrusion activity from the DPRK. Note: The version numbers for AppleJeus correspond to the order the campaigns were identified open source or through investigative means. These versions may or may not be in the correct order for development or deployment of the AppleJeus campaigns. RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
Revisions
February 17, 2021: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.