North Korea-linked Lazarus APT ran a campaign distributing fake cryptocurrency apps under the BloxHolder brand to push the AppleJeus malware and gain initial access to crypto users. The operation, active June–October 2022, used a cloned HaasOnline site and multi-stage payloads delivered via MSI installers and weaponized Office documents, with OpenDrive hosting the final payload.
Keypoints
- Lazarus Group (North Korea) targeted cryptocurrency users by distributing fake crypto apps branded as BloxHolder to install AppleJeus malware.
- Campaign began in June 2022; attackers registered bloxholder.com and created a site cloning HaasOnline’s platform to spread the MSI installer.
- The MSI installer deployed both the malicious BloxHolder app and the legitimate QTBitcoinTrader app, which had been previously used by the Lazarus Group.
- In October 2022, Lazarus switched to a weaponized Microsoft Office document (OKX Binance & Huobi VIP fee comparision.xls) to install AppleJeus, bypassing MSI-based delivery.
- Macros in the Office document decode base64 content and use a two-stage macro chain to deploy the payload, with a final payload downloaded from OpenDrive.
- Experts note the attackers used DLL side-loading to load the payload and obfuscate strings and API calls to hinder analysis.
- Overall, the Lazarus campaign continues to target the cryptocurrency industry to bolster DPRK finances, employing evolving delivery methods and payloads.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The campaign used weaponized Microsoft Office documents to deliver malware, e.g., “In October 2022…weaponized Microsoft Office document, named ‘OKX Binance & Huobi VIP fee comparision.xls.’”
- [T1027] Obfuscated/Compressed Files and Information – The Office document encodes variables with base64 to guide deployment in the infected system.
- [T1059.005] Visual Basic – The macro is split into parts; the first decodes a base64 blob that contains a second macro, enabling multi-stage payload deployment.
- [T1105] Ingress Tool Transfer – The final payload is downloaded from a public file-sharing service (OpenDrive).
- [T1574.002] DLL Side-Loading – Lazarus used chained DLL side-loading to load payloads and evade analysis; obfuscated strings and API calls were employed.
Indicators of Compromise
- [Domain] domain – bloxholder.com; domain used to host the fake trading site and distribute the MSI installer
- [Domain] domain – haasonline.com (clone) – the distribution site is a clone of the HaasOnline platform
- [File hash] MD5 – eb1e19613a6a260ddd0ae9224178355b (Logagent.exe)
- [File hash] MD5 – e66bc1e91f1a214d098cf44ddb1ae91a (wsock32.dll, HijackingLib.dll)
- [File name] – Background.png – payload drop containing embedded components
- [File] – Logagent.exe – legitimate file dropped as part of the payload
- [File] – wsock32.dll – side-loaded library (HijackingLib.dll)
- [File] – 56762eb9-411c-4842-9530-9922c46ba2da – encoded payload name inside the final drop
- [URL/IP] OpenDrive – used as the host for downloading the final payload
Read more: https://securityaffairs.co/wordpress/139290/apt/lazarus-apt-bloxholder-campaign.html