Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and
In the mid-2018, the APT targeted
“While investigating a
“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”
After releasing Operation AppleJeus, the Lazarus group carried out other attacks against
The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development.
One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.
The experts pointed out that while the Windows malware used in the campaign only had small changes, the
Recently Kaspersky detected a new
Some of the payloads were executed in memory, with a backdoor payload delivered in the final step of the attack chain.
“This final payload was designed to run only on certain systems. It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information. The malware checks the infected system’s information and compares it to a given value.” continues the report. “It seems the actor wants to execute the final payload very carefully, and wants to evade detection by
Kaspersky identified several victims of Operation AppleJeus sequel, most of them were in the UK, Poland, Russia and China, and experts pointed out that many of them are linke
“The actor altered their
(SecurityAffairs – Lazarus APT group, hacking)